CYBER NEWS

CVE-2019-5736 Linux Falha no Runc permite acesso Root Unauthorized

CVE-2019-5736 é outra vulnerabilidade Linux descoberto no código recipiente Runc núcleo. A ferramenta Runc é descrito como um peso leve, implementação portátil do formato aberto Container (OCF) que proporciona tempo de execução do recipiente.




CVE-2019-5736 Technical Details

The security flaw potentially affects several open-source container management systems. disse brevemente, the flaw allows attackers to get unauthorized, root access to the host operating system, thus escaping Linux container.

Em termos mais técnicos, a vulnerabilidade:

allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, ou (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe, as explained in the consultivo oficial.

The CVE-2019-5736 vulnerability was unearthed by open source security researchers Adam Iwaniuk and Borys Popławski. Contudo, it was publicly disclosed by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday.

“I am one of the maintainers of runc (the underlying container runtime underneath Docker, cri-o, containerd, Kubernetes, e assim por diante). We recently had a vulnerability reported which we have verified and have a
patch for,” Sarai escrevi.

The researcher also said that a malicious user would be able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts:

Creating a new container using an attacker-controlled image.
Attaching (docker exec) into an existing container which the attacker had previous write access to.

It should also be noted that CVE-2019-5736 isn’t blocked by the default AppArmor policy, nem
by the default SELinux policy on Fedora[++], due to the fact that container processes appear to be running as container_runtime_t.

Não obstante, the flaw is blocked through correct use of user namespaces where the host root is not mapped into the container’s user namespace.

relacionado: CVE-2018-14634: Vulnerabilidade Linux Mutagéneo Astronomia afeta RHEL e Cent OS Distros

CVE-2019-5736 Patch and Mitigation

Red Hat says that the flaw can be mitigated when SELinux is enabled in targeted enforcing mode, a condition which comes by default on RedHat Enterprise Linux, CentOS, and Fedora.

There’s also a patch released by the maintainers of runC available on GitHub. Please note that all projects which are based on runC should apply the patches themselves.

Who’s Affected?

Debian and Ubuntu are vulnerable to the vulnerability, as well as container systems running LXC, a Linux containerization tool prior to Docker. Apache Mesos container code is also affected.

Companies such as Google, Amazonas, Docker, and Kubernetes are have also released fixes for the flaw.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...