Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • IT Management

    Researchers Warn of Malicious Container Escape Vulnerability

    By
    Sean Michael Kerner
    -
    February 11, 2019
    Share
    Facebook
    Twitter
    Linkedin
      container

      A new serious vulnerability in container technology was publicly reported on Feb. 11, one that could potentially enable an attacker to gain unauthorized access to the host operating system.

      Container technology led by the Docker engine has become increasingly popular in recent years as a way to build and deploy applications into isolated segments, on top of a server operating system. At the core of the modern container technology stack is a low-level component known as runc, which spawns and runs containers. The new CVE-2019-5736 vulnerability is a flaw in runc that could enable a malicious container to escape the confines of its isolated process segment.

      “The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,” Aleksa Sarai, senior software engineer at SUSE, wrote in an advisory.

      With containers, the running container application is supposed to be isolated from underlying operating system. With the CVE-2019-5736 vulnerability, an attacker could potentially get access to the underlying operating system, putting all the containers that run on the host, as well as the host itself, at risk.

      There are other reasons why a malicious container could escape isolation. These include privilege misconfiguration, which was the case with the Play-With-Docker in an issue disclosed by CyberArk on Jan. 14.

      CVE-2019-5736 Patches

      A patch has been made publicly available in the upstream runc project and multiple vendors and cloud providers are currently pushing the updates where necessary.

      Google noted in advisory that Google Kubernetes Engine (GKE) Ubuntu nodes are impacted by the CVE-2019-5736 vulnerability. Other GKE nodes that are not running are Ubuntu are not impacted by the flaw.

      Multiple services at Amazon Web Services (AWS) are impacted by CVE-2019-5736, as AWS uses containers and runc extensively thoughout its cloud infrastructure. Among the impacted services are Amazon Linux, Amazon Elastic Container Service (ECS), Elastic Container Service for Kubernetes (EKS), AWS Fargate, IoT Greengrass, AWS Batch, Elastic Beanstalk, Cloud9, Sagemaker, RoboMaker and the Deep Learning AMI.

      AWS has provided full details in its advisory to assist users on updating the impacted components to mitigate the risk from the flaw.

      Across container vendors, updates are also being issued. Red Hat has advised its customers to update to help minimize risk, though the Linux vendor is also emphasizing that there are also other mitigating controls that users already have in place. Red Hat makes use of SELinux (Security Enhanced Linux) which provides additional layers of access controls for a given process or application.

      “This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which completely prevents this vulnerability from being exploited,” Red Hat notes in its advisory. “The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode.”

      One of the other ways that security experts commonly recommend to help secure containers is with the use of a virtual machine. By running a container engine inside of a VM, there is an additional layer of isolation between an application and a host operating system. Scott McCarty, principal product manager, Containers at Red Hat told eWEEK that using VMs could potentially mitigate the impact of CVE-2019-5736, but only to an extent. 

      “This CVE would not permit malicious code from breaking out of the OpenShift node in the Virtual Machine,” McCarty said. “But any number of containers could be scheduled on the host at any given time, because that’s how Kubernetes works, if nodes die, it reschedules them.”

      As such, McCarty added that even if malicious code couldn’t break out, Kubernetes might send good code in that would then “catch on fire.”

      “SELinux is still the best tool to mitigate at the host level,” he said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×