CVE-2019-5736

runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout

Severity Score

8.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

runc, hasta la versión 1.0-rc6, tal y como se emplea en Docker, en versiones anteriores a la 18.09.2 y otros productos, permite que los atacantes sobrescriban el binario del host runc (y, así, obtengan acceso root al host) aprovechando la capacidad para ejecutar un comando como root con uno de estos tipos de contenedores: (1) un nuevo contenedor con una imagen controlada por el atacante o (2) un contenedor existente, para el cual el atacante contaba previamente con acceso de escritura, que puede adjuntarse con docker exec. Esto ocurre debido a la gestión incorrecta del descriptor de archivos; esto está relacionado con /proc/self/exe.

A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-01-08 CVE Reserved
2019-02-11 CVE Published
2019-02-14 First Exploit
2024-07-25 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-672: Operation on a Resource after Expiration or Release

CAPEC

References (82)

URL	Tag	Source
http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/03/23/1	Mailing List
http://www.openwall.com/lists/oss-security/2019/06/28/2	Mailing List
http://www.openwall.com/lists/oss-security/2019/07/06/3	Mailing List
http://www.openwall.com/lists/oss-security/2019/07/06/4	Mailing List
http://www.openwall.com/lists/oss-security/2019/10/24/1	Mailing List
http://www.openwall.com/lists/oss-security/2019/10/29/3	Mailing List
http://www.openwall.com/lists/oss-security/2024/01/31/6	Mailing List
http://www.openwall.com/lists/oss-security/2024/02/01/1	Mailing List
http://www.openwall.com/lists/oss-security/2024/02/02/3	Mailing List
http://www.securityfocus.com/bid/106976	Third Party Advisory
https://access.redhat.com/security/cve/cve-2019-5736	Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2019-002	Third Party Advisory
https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc	Third Party Advisory
https://github.com/docker/docker-ce/releases/tag/v18.09.2	Release Notes
https://github.com/rancher/runc-cve	Third Party Advisory
https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736	Third Party Advisory
https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E	Mailing List
https://security.netapp.com/advisory/ntap-20190307-0008	Third Party Advisory
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944	Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_19_06	Third Party Advisory
https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker	Third Party Advisory
https://www.openwall.com/lists/oss-security/2019/02/13/3
https://www.docker.com/blog/docker-security-update-cve-2018-5736-and-container-security-best-practices

URL	Date	SRC
https://github.com/Frichetten/CVE-2019-5736-PoC	2024-08-04
https://www.exploit-db.com/exploits/46369	2024-08-04
https://www.exploit-db.com/exploits/46359	2024-08-04
https://github.com/twistlock/RunC-CVE-2019-5736	2020-06-22
https://github.com/jas502n/CVE-2019-5736	2019-02-14
https://github.com/RyanNgWH/CVE-2019-5736-POC	2019-06-30
https://github.com/zyriuse75/CVE-2019-5736-PoC	2019-03-08
https://github.com/likescam/CVE-2019-5736	2019-02-14
https://github.com/geropl/CVE-2019-5736	2020-01-08
https://github.com/si1ent-le/CVE-2019-5736	2022-03-16
https://github.com/stillan00b/CVE-2019-5736	2019-03-27
https://github.com/N3rdyN3xus/CVE-2019-5736	2022-04-23
https://github.com/BBRathnayaka/POC-CVE-2019-5736	2020-05-14
https://github.com/Billith/CVE-2019-5736-PoC	2020-05-03
https://github.com/GiverOfGifts/CVE-2019-5736-Custom-Runtime	2020-02-20
https://github.com/yyqs2008/CVE-2019-5736-PoC-2	2019-02-23
http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html	2024-08-04
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html	2024-08-04
https://brauner.github.io/2019/02/12/privileged-containers.html	2024-08-04
https://github.com/q3k/cve-2019-5736-poc	2024-08-04
https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003	2024-08-04

URL	Date	SRC
https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability	2024-02-02
https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736	2024-02-02
https://bugzilla.suse.com/show_bug.cgi?id=1121967	2024-02-02
https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b	2024-02-02
https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d	2024-02-02
https://www.openwall.com/lists/oss-security/2019/02/11/2	2024-02-02

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html	2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html	2024-02-02
https://access.redhat.com/errata/RHSA-2019:0303	2024-02-02
https://access.redhat.com/errata/RHSA-2019:0304	2024-02-02
https://access.redhat.com/errata/RHSA-2019:0401	2024-02-02
https://access.redhat.com/errata/RHSA-2019:0408	2024-02-02
https://access.redhat.com/errata/RHSA-2019:0975	2024-02-02
https://access.redhat.com/security/vulnerabilities/runcescape	2019-05-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP	2024-02-02
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR	2024-02-02
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W	2024-02-02
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH	2024-02-02
https://security.gentoo.org/glsa/202003-21	2024-02-02
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc	2024-02-02
https://usn.ubuntu.com/4048-1	2024-02-02
https://access.redhat.com/security/cve/CVE-2019-5736	2019-05-07
https://bugzilla.redhat.com/show_bug.cgi?id=1664908	2019-05-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Docker Search vendor "Docker"		Docker Search vendor "Docker" for product "Docker"				< 18.09.2 Search vendor "Docker" for product "Docker" and version " < 18.09.2"		-		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				<= 0.1.1 Search vendor "Linuxfoundation" for product "Runc" and version " <= 0.1.1"		-		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc1		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc2		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc3		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc4		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc5		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc6		Affected
Redhat Search vendor "Redhat"		Container Development Kit Search vendor "Redhat" for product "Container Development Kit"				3.7 Search vendor "Redhat" for product "Container Development Kit" and version "3.7"		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				3.4 Search vendor "Redhat" for product "Openshift" and version "3.4"		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				3.5 Search vendor "Redhat" for product "Openshift" and version "3.5"		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				3.6 Search vendor "Redhat" for product "Openshift" and version "3.6"		-		Affected
Redhat Search vendor "Redhat"		Openshift Search vendor "Redhat" for product "Openshift"				3.7 Search vendor "Redhat" for product "Openshift" and version "3.7"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Google Search vendor "Google"		Kubernetes Engine Search vendor "Google" for product "Kubernetes Engine"				-		-		Affected
Linuxcontainers Search vendor "Linuxcontainers"		Lxc Search vendor "Linuxcontainers" for product "Lxc"				< 3.2.0 Search vendor "Linuxcontainers" for product "Lxc" and version " < 3.2.0"		-		Affected
Hp Search vendor "Hp"		Onesphere Search vendor "Hp" for product "Onesphere"				-		-		Affected
Netapp Search vendor "Netapp"		Hci Management Node Search vendor "Netapp" for product "Hci Management Node"				-		-		Affected
Netapp Search vendor "Netapp"		Solidfire Search vendor "Netapp" for product "Solidfire"				-		-		Affected
Apache Search vendor "Apache"		Mesos Search vendor "Apache" for product "Mesos"				>= 1.4.0 < 1.4.3 Search vendor "Apache" for product "Mesos" and version " >= 1.4.0 < 1.4.3"		-		Affected
Apache Search vendor "Apache"		Mesos Search vendor "Apache" for product "Mesos"				>= 1.5.0 < 1.5.3 Search vendor "Apache" for product "Mesos" and version " >= 1.5.0 < 1.5.3"		-		Affected
Apache Search vendor "Apache"		Mesos Search vendor "Apache" for product "Mesos"				>= 1.6.0 < 1.6.2 Search vendor "Apache" for product "Mesos" and version " >= 1.6.0 < 1.6.2"		-		Affected
Apache Search vendor "Apache"		Mesos Search vendor "Apache" for product "Mesos"				>= 1.7.0 < 1.7.2 Search vendor "Apache" for product "Mesos" and version " >= 1.7.0 < 1.7.2"		-		Affected
Opensuse Search vendor "Opensuse"		Backports Sle Search vendor "Opensuse" for product "Backports Sle"				15.0 Search vendor "Opensuse" for product "Backports Sle" and version "15.0"		-		Affected
Opensuse Search vendor "Opensuse"		Backports Sle Search vendor "Opensuse" for product "Backports Sle"				15.0 Search vendor "Opensuse" for product "Backports Sle" and version "15.0"		sp1		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.0 Search vendor "Opensuse" for product "Leap" and version "15.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				42.3 Search vendor "Opensuse" for product "Leap" and version "42.3"		-		Affected
D2iq Search vendor "D2iq"		Kubernetes Engine Search vendor "D2iq" for product "Kubernetes Engine"				< 2.2.0-1.13.3 Search vendor "D2iq" for product "Kubernetes Engine" and version " < 2.2.0-1.13.3"		-		Affected
D2iq Search vendor "D2iq"		Dc\/os Search vendor "D2iq" for product "Dc\/os"				< 1.10.10 Search vendor "D2iq" for product "Dc\/os" and version " < 1.10.10"		-		Affected
D2iq Search vendor "D2iq"		Dc\/os Search vendor "D2iq" for product "Dc\/os"				>= 1.10.11 < 1.11.9 Search vendor "D2iq" for product "Dc\/os" and version " >= 1.10.11 < 1.11.9"		-		Affected
D2iq Search vendor "D2iq"		Dc\/os Search vendor "D2iq" for product "Dc\/os"				>= 1.11.10 < 1.12.1 Search vendor "D2iq" for product "Dc\/os" and version " >= 1.11.10 < 1.12.1"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				29 Search vendor "Fedoraproject" for product "Fedora" and version "29"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"		-		Affected
Microfocus Search vendor "Microfocus"		Service Management Automation Search vendor "Microfocus" for product "Service Management Automation"				2018.02 Search vendor "Microfocus" for product "Service Management Automation" and version "2018.02"		-		Affected
Microfocus Search vendor "Microfocus"		Service Management Automation Search vendor "Microfocus" for product "Service Management Automation"				2018.05 Search vendor "Microfocus" for product "Service Management Automation" and version "2018.05"		-		Affected
Microfocus Search vendor "Microfocus"		Service Management Automation Search vendor "Microfocus" for product "Service Management Automation"				2018.08 Search vendor "Microfocus" for product "Service Management Automation" and version "2018.08"		-		Affected
Microfocus Search vendor "Microfocus"		Service Management Automation Search vendor "Microfocus" for product "Service Management Automation"				2018.11 Search vendor "Microfocus" for product "Service Management Automation" and version "2018.11"		-		Affected