oss-sec mailing list archives
Re: CVE-2019-5736: runc container breakout exploit code
From: Aleksa Sarai <cyphar () cyphar com>
Date: Wed, 13 Feb 2019 20:57:43 +1100
On 2019-02-13, Aleksa Sarai <cyphar () cyphar com> wrote:
On 2019-02-13, EJ Campbell <ejc3 () verizonmedia com> wrote:While fixing docker / runc is clearly the right fix, would using chattr -i on runc be a quick mitigation for the issue? I believe that will prevent the file from being overwritten by the exploit and Etienne Stalmans verified that it helped: https://twitter.com/_staaldraad/status/1095354945073754112The privileged user in the container could just un-set the immutable bit using "/proc/self/fd/..." and then open it for writing. A read-only filesystem would work much better.
Sorry, I forgot that CAP_LINUX_IMMUTABLE is dropped by default in Docker. Yes that mitigation would also work. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description:
Current thread:
- CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)