9.3
HIGH

CVE-2019-5736

Published: 11/02/2019 Updated: 08/03/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.6 | Impact Score: 6 | Exploitability Score: 1.8

Vulnerability Summary

runc up to and including 1.0-rc6, as used in Docker prior to 18.09.2 and other products, allows malicious users to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Vulnerability Trend

Affected Products

Vendor Product Versions
DockerDocker0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.10., 0.11., 0.12., 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.5.0, 1.6, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.13.0, 1.13.1
GoogleKubernetes Engine-
HpOnesphere-
LinuxcontainersLxc-
OpencontainersRunc1.0
RedhatOpenshift3.4, 3.5, 3.6, 3.7, 3.9
RedhatEnterprise Linux7.0
RedhatEnterprise Linux Server7.0

Vendor Advisories

Synopsis Important: docker security update Type/Severity Security Advisory: Important Topic An update for docker is now available for Red Hat Enterprise Linux 7 ExtrasRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base s ...
Synopsis Important: runc security update Type/Severity Security Advisory: Important Topic An update for runc is now available for Red Hat Enterprise Linux 7 ExtrasRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score ...
Synopsis Important: Container Development Kit 370-1 security update Type/Severity Security Advisory: Important Topic Red Hat Container Development Kit 370-1 update is now availableRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Synopsis Important: OpenShift Container Platform 34, 35, 36, and 37 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat OpenShift Container Platform 34, 35, 36, and 37Red Hat Product Security has rated this update as having a security impact of Im ...
A vulnerability was discovered in runc, which is used by Docker to run containers runc did not prevent container processes from modifying the runc binary via /proc/self/exe A malicious container could replace the runc binary, resulting in container escape and privilege escalation This was fixed by creating a per-container copy of runc(CVE-2019- ...
Arch Linux Security Advisory ASA-201902-6 ========================================= Severity: High Date : 2019-02-11 CVE-ID : CVE-2019-5736 Package : runc Type : privilege escalation Remote : Yes Link : securityarchlinuxorg/AVG-878 Summary ======= The package runc before version 100rc6-1 is vulnerable to privilege escalati ...
A flaw was found in the way runc handled system file descriptors when running containers A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system ...
A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system The vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe An attacker could exploit the vulnerability eithe ...
Arch Linux Security Advisory ASA-201902-20 ========================================== Severity: High Date : 2019-02-17 CVE-ID : CVE-2019-5736 Package : flatpak Type : privilege escalation Remote : Yes Link : securityarchlinuxorg/AVG-880 Summary ======= The package flatpak before version 123-1 is vulnerable to privilege esc ...
A vulnerability discovered in runc through 10-rc6, as used in Docker before 18092 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, ...
IBM Cloud Private is affected by an issue with runc used by Docker The vulnerability allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host ...
IBM Cloud Kubernetes Service is affected by a security vulnerability in runc which could allow an attacker that is authorized to run a process as root inside a container to execute arbitrary commands with root privileges on the container’s host system ...

Exploits

## CVE-2019-5736 ## This is exploit code for CVE-2019-5736 (and it works for both runc and LXC) The simplest way to use it is to copy the exploit code into an existing container, and run `makesh` However, you could just as easily create a bad image and run that ```console % docker run --rm --name pwnme -dit ubuntu:1810 bash pwnme % docker cp ...
# Usage Edit HOST inside `payloadc`, compile with `make` Start `nc` and run `pwnsh` inside the container # Notes - This exploit is destructive: it'll overwrite `/usr/bin/docker-runc` binary *on the host* with the payload It'll also overwrite `/bin/sh` inside the container - Tested only on Debian 9 - No attempts were made to make it stable o ...

Mailing Lists

Someone outside of the embargo has posted a PoC of the exploit for CVE-2019-5736 (which is related though not using the same vector)[1] Since the original researchers have posted a blog post explaining the exploit in some detail[2], I've decided to post the exploit code early -- since the cat is out of the bag anyway CVE-2019-5736tarxz has the ...
Hello, there is a container breakout currently discussed (CVE-2019-5736), which affected LXC among others Let me share two more, IMHO easier, breakout techniques that work against LXC, at least in Ubuntu 1810, which has LXC 303 Both techniques work only in privileged containers, and so, given that LXC upstream does not treat privileged contai ...
On 2019-02-13, Loganaden Velvindron <loganaden () gmail com> wrote: Yes, there is a PoC that someone outside of the embargo posted on GitHub (it is quite different to the one we have but it is using a related issue which our patch also fixed) At this point I might as well post the actual exploit code (given that the original vulnerability ...
On Tue, Feb 12, 2019 at 12:05:20AM +1100, Aleksa Sarai wrote: [] While runc, LXC, and maybe other projects fix CVE-2019-5736 in userspace, Virtuozzo/OpenVZ 7 has just released a kernel fix instead - please see the forwarded message below Following links from there, I found the following description of the issue in context of Virtuozzo and ...

Github Repositories

NVIDIA Container Runtime for Docker Documentation The full documentation and frequently asked questions are available on the repository wiki An introduction to the NVIDIA Container Runtime is also covered in our blog post Quickstart Make sure you have installed the NVIDIA driver and a supported version of Docker for your distribution (see prerequisites) If you have a cus

CVE-2019-5736-PoC nvdnistgov/vuln/detail/CVE-2019-5736 poc of CVE-2019-5736

CVE-2019-5736-PoC PoC for CVE-2019-5736 Created with help from @singe, @_cablethief, and @feexd Tested on Ubuntu 1804 and Arch Linux Docker versions 18091-ce and 18031-ce What is it? This is a Go implementation of CVE-2019-5736, a container escape for Docker The exploit works by overwriting and executing the host systems runc binary from within the container How does th

DOCKER-2019-5736 Exploit code for CVE-2019-5736 accessredhatcom/security/cve/cve-2019-5736 The container escape for Docker The exploit overwriting and executing the host systems runc binary from container Tested on Ubuntu 1604 and distro based Arch Docker versions 1806 go build maingo

Exploit for CVE-2019-5736 Version 1 (inspired by original idea DragonSector) use a maliciousso(which used by runc) with malicious entry point (like #!/proc/self/exe) to hijack the execution of runc, and then open '/proc/self/exe' to hold the file descriptor Then 'fork-exec' to run another process, and the child process will inherit the file descriptor F

RunC-CVE-2019-5736 Two POCs for CVE-2019-5736 wwwtwistlockcom/labs

RunC-CVE-2019-5736 Two POCs for CVE-2019-5736 See wwwtwistlockcom/labs for an explanation of CVE-2019-5736 and the two POCs Running the POCs Note that running the POCs will overwrite the runC binary on the host It is highly recommened that you create a copy of your runC binary (normally at /usr/sbin/runc) before running one of the POCs Clone the repository: $ git clone ht

CVE Builds for legacy docker-runc This repo provides a backport of patches for CVE-2019-5736 for older versions of runc that were packaged with Docker Build and Releases Refer to the releases section of this repo for the binaries In order to build yourself, or build for different architectures, just run make and the binaries will end up in /dist The binaries will be of the

CVE-2019-5736 This is exploit code for CVE-2019-5736 (and it works for both runc and LXC) The simplest way to use it is to copy the exploit code into an existing container, and run makesh However, you could just as easily create a bad image and run that % docker run --rm --name pwnme -dit ubuntu:1810 bash pwnme % docker cp CVE-2019-5736tar pwnme:/CVE-2019-5736tar We need

Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to

YuvalAvra-RunC-CVE-2019-5736-

Usage Edit HOST inside payloadc, compile with make Start nc and run pwnsh inside the container Notes This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload It'll also overwrite /bin/sh inside the container Tested only on Debian 9 No attempts were made to make it stable or reliable, it's only tested to work wh

dockerevil A simple repository to store my security flaws in the docker technology Docker API Privilege Escalation Escalate from Offline Server/Minimal Images/Build from TAR Dockerfile Docker SUDO Privilege Escalation (PoC) Nmap Scripts Other awesome security flaws found in the docker: How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass and Persisten

Kaosagnt's Ansible Everyday Utils This project contains many of the Ansible playbooks that I use daily as a Systems Administrator in the pursuit of easy server task automation Installation You will need to setup and install Ansible like you normally would before using what is presented here Hint: it uses ansible wwwansiblecom Optional: Create an ansible-everyd

CVE-MyLife CVE in My Life! A little adventure in the world! List CVE: CVE-2016-2098: Action Pack in Ruby on Rails before 32222, 4x before 41142, and 42x before 4252 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method CVE-2016-3345: The SMBv1 server in Microsoft Windows Vista SP2, Windows

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Major Container Security Flaw Threatens Cascading Attacks
Threatpost • Tara Seals • 12 Feb 2019

runc, a building-block project for the container technologies used by many enterprises as well as public cloud providers, has patched a vulnerability that would allow root-level code-execution, container escape and access to the host filesystem.
Discovered by researchers Adam Iwaniuk and Borys Popławski, the vulnerability (CVE-2019-5736) “allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,”...

Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is
The Register • Thomas Claburn in San Francisco • 11 Feb 2019

'Doomsday scenario' unless devops crowd walks this way

Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.
"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for c...

References

CWE-216http://www.securityfocus.com/bid/106976https://access.redhat.com/errata/RHSA-2019:0303https://access.redhat.com/errata/RHSA-2019:0304https://access.redhat.com/errata/RHSA-2019:0401https://access.redhat.com/errata/RHSA-2019:0408https://access.redhat.com/security/cve/cve-2019-5736https://access.redhat.com/security/vulnerabilities/runcescapehttps://aws.amazon.com/security/security-bulletins/AWS-2019-002/https://brauner.github.io/2019/02/12/privileged-containers.htmlhttps://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runchttps://github.com/docker/docker-ce/releases/tag/v18.09.2https://github.com/Frichetten/CVE-2019-5736-PoChttps://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558bhttps://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40dhttps://github.com/q3k/cve-2019-5736-pochttps://github.com/rancher/runc-cvehttps://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/https://security.netapp.com/advisory/ntap-20190307-0008/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_ushttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runchttps://www.exploit-db.com/exploits/46359/https://www.exploit-db.com/exploits/46369/https://www.openwall.com/lists/oss-security/2019/02/11/2https://www.synology.com/security/advisory/Synology_SA_19_06https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/https://www.rapid7.com/db/vulnerabilities/docker-cve-2019-5736https://www.exploit-db.com/exploits/46369https://nvd.nist.govhttps://threatpost.com/container-security-flaw-runc/141737/https://seclists.org/oss-sec/2019/q1/119https://tools.cisco.com/security/center/viewAlert.x?alertId=59636