Network Security, Patch/Configuration Management, Vulnerability Management

Flaw in runC could allow malicious containers to infect host environment

A vulnerability discovered in the runC container management tool has exposed multiple privileged container systems to a potential exploit through which attackers could allow malware to escape a container and compromise an entire host system.

Designated CVE-2019-5736, the flaw allows attackers to use a malicious container to overwrite the host runC binary during the execution a command as root, thereby granting themselves root access to the host. This works under two scenarios: when using a new container with an attacker-controlled image or when attaching into an existing container to which the attackers previously had write access.

Aleksa Sarai, a long-time contributor to the Open Container Initiative (OCI), which develops runC, acknowledged the flaw in a Tuesday post on, noting that OCI has already issued a patch, and will release exploit code on Feb. 18 to help container vendors ensure that these fixes will resolve the issue.

Affected vendors include solutions specializing in containerization technology such as CRI-O, containerD, Docker, Kubernetes (indirectly impacted) and Podman, as well as companies like Red Hat and Amazon Web Services, which offer containerization capabilities via an array of products and services, including their own Linux distributions.

These vendors have issued security advisories recommending customers download the latest version of their product and launch new container instances in order to protect themselves against a potential future exploit. The Linux distribution Ubuntu and the Unix-like operating system Debian are also working on patches, since containers generally run on Linux server environments.

"Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it," said Scott McCarty, principal product manager of containers at Red Hat, in a company blog post. "A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents."

Discovery of the vulnerability is credited to security researchers Adam Iwaniuk and Borys Poplawski.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.