runC 是 Docker,Kubernetes 等依赖容器的应用程序的底层容器运行时。此次爆出的严重安全漏洞可使攻击者以 root 身份在主机上执行任何命令。
容器的安全性一直是容器技术的一个短板。关于容器最大的安全隐患是攻击者可以使用恶意程序感染容器,更严重时可以攻击主机系统。
2019年2月11日,研究人员通过oss-security邮件列表(https://www.openwall.com/lists/oss-security/2019/02/11/2)披露了runc容器逃逸漏洞的详情,根据OpenWall的规定EXP会在7天后也就是2019年2月18日公开。
以下英文全文:
The Linux community is dealing with another securityflaw, with the latest bug impacting the runC container runtime that underpins Docker, cri-o, containerd, and Kubernetes.
The bug, dubbed CVE-2019-5736, allows an infected container to overwrite the host runC binary and gain root-level code access on the host. This would basically allow the infected container to gain control of the overarching host container and allow an attacker to execute any command.
“It is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations beforehand,” explained Aleksa Sarai, a senior software engineer at SUSE and a maintainer for runC, in an email posted on Openwall. Sarai added that the flaw is blocked by the proper implementation of user namespaces “where the host root is not mapped into the container’s user namespace.”
The bug has receivedan “important” impact rating from some vendors. Sarai said the flaw has a 7.2 out of 10 CVSSv3 vector score.
A patch for the flaw has been developed and is being sent out to the runC community. A number of vendor and cloud providershave already taken steps to implement the patch.
RunC was initially spun out of work done by Docker Inc. It’s an Open Container Initiative (OCI)-compliant command line interface (CLI) tool for spawning and running containers.
While not specific to the Kubernetes ecosystem, the latest flaw follows on the heels of a “critical” flaw foundin the container orchestration platform late last year. That bug impacted all Kubernetes-based products and services, and it gives hackers full administrative privileges on any compute node being run in a Kubernetes cluster.
A patch was quickly developed and released, but most note that they expect more bugs to be found.
“There are always going to be vulnerabilities,” Rani Osnat, vice president of product marketing at Aqua Security, told SDxCentral during the KubeCon + CloudNativeCon North America 2018 event in Seattle. “The fact that one was found was to be expected. And I expect more will be found going forward. That’s just what should be expected with software.”
Cloudsecurityprovider Lacework last year foundmore than 21,000 open container orchestration and API management systems on the internet that were vulnerable as attack points for possible hacking. Those open systems included deployments using Kubernetes, Docker Inc.’s Swarm, Mesos Marathon, Red Hat OpenShift, Portain.io, and Swarmpit.
There are also overhanging chip security concernstied to the Spectrum, Meltdown, and Foreshadow bugs that are keeping the Linux kernel community busy.
Greg Kroah-Hartman, a fellow at the Linux Foundation, told attendeesat last year’s Open SourceSummit event in Vancouver, British Columbia, that more of those types of flaws will be found.
参考链接:
https://www.theregister.co.uk/2019/02/11/docker_container_flaw/
https://www.zdnet.com/article/doomsday-docker-security-hole-uncovered/
https://www.sdxcentral.com/articles/news/kubernetes-docker-containerd-impacted-by-runc-container-runtime-bug/2019/02/
https://www.openwall.com/lists/oss-security/2019/02/11/2
转载自OpenShift开源社区,如有侵权,请联系删除