runc - Malicious container escape - CVE-2019-5736

Public Date:
Updated -
Status
Ongoing
Impact
Important

A flaw has been detected in runc which allows a malicious container to gain root-level access on the host machine. This issue has been assigned CVE-2019-5736 and has a security impact of Important.

Background Information

A vulnerability discovered in runc allows for a break out from the container to gain root-level access on the host machine.  

This vulnerability affects both the docker and runc packages available on Red Hat Enterprise Linux 7, which are delivered through the Extras channel. OpenShift Container Platform (OCP) 3.x depends on these packages from Red Hat Enterprise Linux 7 Extras and is also affected.

This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.

Take Action

Customers running affected versions of Red Hat products are strongly recommended to apply RPM updates from the RHEL 7 Extras channel as soon as errata becomes available.  Customers of OpenShift Online or OpenShift Dedicated have SELinux enabled in enforcing mode in every host across all clusters. It is expected that OSO/OSD is mitigated, with security patches to be deployed during upcoming maintenance windows.

Acknowledgements

Red Hat thanks the upstream Open Containers Security Team for reporting this issue. Upstream acknowledges Adam Iwaniuk and Borys Popławski as the researchers who discovered this flaw.

Additional Resources

Red Hat Blog

https://seclists.org/oss-sec/2019/q1/119

Impacted Products

Red Hat Product Security has rated CVE-2019-5736 as having a security impact of Important.

Impacted Red Hat Product versions are:

  • Red Hat Enterprise Linux 7

  • Red Hat OpenShift Container Platform 3.x*

* OpenShift Container Platform ships with the correct SELinux policies that also make it not vulnerable to this exploit.  If needed, administrators can determine if they have changed the SElinux policy or if they are still protected via the downloadable detection script on the "Diagnose" page.

Not Impacted Products

  • OpenShift Online and Dedicated are not vulnerable to exploit due to their use of SELinux in enforcing mode. 
  • Red Hat Enterprise LInux Atomic Host 7 is not affected by this vulnerability because the target runc binaries are stored on a read-only filesystem and cannot be overwritten.


Detecting Exploitation Attempts

Customers using SELinux in enforcing mode can observe exploitation attempts by looking at AVC events in the audit logs. E.g.

$ aureport -a

AVC Report

===============================================================

# date time comm subj syscall class permission obj result event

===============================================================

1. 11/02/19 00:00:00 script system_u:system_r:container_t:s0:c530,c886 2 file write system_u:object_r:container_runtime_exec_t:s0 denied 81359

The above event describes a process with the system_u:system_r:container_t context attempting to write to a file with the system_u:object_r:container_runtime_exec_t context, which is denied by the default policy on Red Hat Enterprise Linux 7.

NB: Though AVC events will still appear in the audit logs when SELinux is in permissive mode, they should not be relied upon as an attacker with root-level access to a machine can modify the logs.


Diagnose your vulnerability

Determine if your system is vulnerable

Determine if your system is vulnerable. Use the detection script below to determine if your system is currently vulnerable to this flaw. To verify the legitimacy of the script, you can download the detached GPG signature as well. Current script version is 1.1.

Fixes have been delivered in the Red Hat Enterprise Linux Extras channel. Customers using OpenShift Container Platform versions 3.9 and higher should apply these fixes.

This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which completely prevents this vulnerability from being exploited. The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode.

If SELinux has been changed from the default enforcing mode to permissive mode, it can be set back to enforcing mode by following the instructions below:

Enabling SELinux

Users who update to the latest versions do not need to apply further mitigations. However, if the updates cannot be applied, mitigating the issue is recommended.

Mitigations for OpenShift Online and OpenShift Dedicated are already in place. Security patches will be deployed during upcoming maintenance windows.

SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.

Updates for Affected Products

ProductPackageAdvisory/Update

Red Hat Enterprise Linux 7 Extras

dockerRHSA-2019:0304

Red Hat Enterprise Linux 7 Extras

runc

RHSA-2019:0303

Red Hat OpenShift Container Platform 3.4

dockerpending
Red Hat OpenShift Container Platform 3.5
dockerpending
Red Hat OpenShift Container Platform 3.6
dockerpending
Red Hat OpenShift Container Platform 3.7
dockerpending

Customers using docker (or docker-latest*) will need to update the docker package, which bundles its own version of runc. Customers using CRI-O, podman, or any other container engine that depends on runc, will need to update the runc package. Updates to both docker and runc are delivered from the Red Hat Enterprise Linux 7 Extras channel.

OpenShift Container Platform (OCP) versions 3.9 and later use docker version 1.13 in the default configuration but can also use CRI-O as an alternative. Customers using OCP 3.9 and later should apply the respective update for docker or runc from the Red Hat Enterprise Linux 7 Extras channel.

OCP versions 3.4 through 3.7 use 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel, which is also affected by this issue.

*Note: docker-latest is deprecated as of Red Hat Enterprise Linux 7.5 and no longer supported. Customers using the docker-latest package should upgrade to the docker package shipped in Red Hat Enterprise Linux 7 Extras. More details:https://access.redhat.com/solutions/3092401

**Note: OpenShift Container Platform 3.9 initially shipped its own version of the runc package in the OCP 3.9 repository. The version of runc in Red Hat Enterprise Linux 7 Extras already supersedes the version in OCP 3.9. If running an OCP 3.9 cluster, runc should be updated from the Red Hat Enterprise Linux Extras channel.

Ansible Playbook

An Ansible playbook is available, which updates the packages if the packages are already installed. The script will fail for docker-latest which is no longer supported. To verify the legitimacy of the playbook, you can download the detached GPG signature as well. Current playbook version is 1.1.

The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):

# ansible-playbook -e HOSTS=hostname cve-2019-5736-update_fixit.yml 	

This playbook requires root privileges so you will need to use an account with appropriate permissions.


Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

8 Comments

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

How can OpenShift Onlie and dedicated be not vulnerable but Red Hat OpenShift Container Platform 3.x is affected? Do they use different selinux profiles? As far as I know OCP requires selinux enforcing.

OpenShift Container Platform ships with the correct SELinux policies that also make it not vulnerable to this exploit. However, we cannot know if admins have changed/disabled those policies. We are able, however, to validate that the policies are working on OSO and OSD.

If needed, administrators can determine if they have changed the SElinux policy or if they are still protected via the detection script provided.

Okay but then it's rather "OCP in its default configuration is not vulnerable because of the enabled selinux policy" :)

it already says so in resolve tab, not in impact tab which I read first :D

All of our RHEL 7 systems use SELinux in Enforcing mode. If we have not made any modifications to the SELinux policies are we protected from this vulnerability?

Hi Justin. Yes, you are protected from this vulnerability if the default RHEL/OCP policies are in effect. You will want to apply the patches at some point, as your security scanners will give you a false-positive that you're "vulnerable", but you can do that during a future scheduled maintenance window.

The Ansible playbook provided checks for "docker" package twice instead of for "docker" and "docker-latest" packages:

...
    - name: Check if docker is installed
      command: rpm -q docker
...
...
    - name: Check if docker-latest is installed
      command: rpm -q docker
...

Thanks for noticing, we will fix it promptly.