Earlier today, CVE-2019-5736 was announced regarding a runC container breakout. Given the high CVSS rating of 7.2, it is imperative to quickly patch your systems.
What is CVE-2019-5736?
runC is the underlying container runtime beneath infrastructure such as Docker, cri-o, containerd, Kubernetes and others. This new vulnerability allows a compromised container to overwrite the host runC binary and gain root-level execution and underlying file access. As a result, an attacker can run any root level command within a container when:- Spinning up a new container based on the attacker’s image
- Attaching (docker exec) into an existing container which the attacker had previous write access to.
Detecting exploits of CVE-2019-5736 using Sysdig Falco
While the first step anyone should take is scanning the images to find vulnerabilities and run compliance checks to make sure best practices are applied across the environment, there is still a need to cover containers currently running in the environment that are not easy to remove or fix. Fortunately, Sysdig Falco can be used to identify an attempt to exploit the vulnerability. Sysdig Falco is an open source, container security monitor designed to detect anomalous activity in your containers. Sysdig Falco taps into system calls to generate an event stream of all system activity. Falco’s rules engine then allows you to create rules based on this event stream, allowing you to alert on system events that seem abnormal. Falco’s rich language, allows you to write rules at the host level and identify suspicious activity. Update #1 As new information comes to light, we are updating the rule to better capture potential exploits. We are closely tracking this issue and will update as more data becomes available. In this case, we are trying to target overwriting of the runC executable from a container. Below is an example of how we can use Falco to detect a potential exploit. Since process names may vary in different OSs, some tweaking to the rule might be needed. Please proceed with caution. Disclaimer: The falco rule is tested on Ubuntu 18.10 with Docker Server (Version 18.09.1). The exact details of the vulnerability are yet to be released and minor changes may be needed. Running processes inside a container as root when the PID namespace is mapped to the host is obviously risky and should be avoided. One option worth exploring is user namespace isolation. The output would be something like:01:25:51.733287089: Warning /proc/self/fd/3 is open to write by process (test-cve, /test-cve )This highlights the powerful ability of the Falco engine to not only detect host level activity, but also target container focused actions to accurately identify malicious activity.