#VU17474 Privilege escalation in runc - CVE-2019-5736

Vulnerability identifier: #VU17474

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green

CVE-ID: CVE-2019-5736

CWE-ID: CWE-264

Exploitation vector: Local access

Exploit availability: Public exploit is available

Vulnerable software:
runc

Software vendor:
Open Container Initiative

The vulnerability allows a remote attacker to gain elevated privileges.

The weakness exists in the runc container runtime due to file-descriptor mishandling, related to /proc/self/exe. A remote attacker can leverage the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec, overwrite the host runc binary with minimal user interaction and execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

To prevent this attack, LXC has been patched to create a temporary copy of the calling binary itself when it starts or attaches to containers (cf. 6400238d08cdf1ca20d49bafb85f4e224348bf9d).

• https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/
• https://brauner.github.io/2019/02/12/privileged-containers.html
• https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
• https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d
• https://github.com/Frichetten/CVE-2019-5736-PoC