Privilege escalation in runc - CVE-2019-5736

Vulnerability identifier: #VU17474

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green

CVE-ID: CVE-2019-5736

CWE-ID: CWE-264

Exploitation vector: Local access

Exploit availability: Public exploit is available

Vendor: Open Container Initiative

Affected software:
runc

The vulnerability allows a remote attacker to gain elevated privileges.

The weakness exists in the runc container runtime due to file-descriptor mishandling, related to /proc/self/exe. A remote attacker can leverage the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec, overwrite the host runc binary with minimal user interaction and execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

To prevent this attack, LXC has been patched to create a temporary copy of the calling binary itself when it starts or attaches to containers (cf. 6400238d08cdf1ca20d49bafb85f4e224348bf9d).

• https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/
• https://brauner.github.io/2019/02/12/privileged-containers.html
• https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
• https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d
• https://github.com/Frichetten/CVE-2019-5736-PoC