// For flags

CVE-2019-5736

runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout

Severity Score

8.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

21
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

runc, hasta la versión 1.0-rc6, tal y como se emplea en Docker, en versiones anteriores a la 18.09.2 y otros productos, permite que los atacantes sobrescriban el binario del host runc (y, así, obtengan acceso root al host) aprovechando la capacidad para ejecutar un comando como root con uno de estos tipos de contenedores: (1) un nuevo contenedor con una imagen controlada por el atacante o (2) un contenedor existente, para el cual el atacante contaba previamente con acceso de escritura, que puede adjuntarse con docker exec. Esto ocurre debido a la gestión incorrecta del descriptor de archivos; esto está relacionado con /proc/self/exe.

A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-01-08 CVE Reserved
  • 2019-02-11 CVE Published
  • 2019-02-14 First Exploit
  • 2024-07-25 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-672: Operation on a Resource after Expiration or Release
CAPEC
References (82)
URL Tag Source
http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/03/23/1 Mailing List
http://www.openwall.com/lists/oss-security/2019/06/28/2 Mailing List
http://www.openwall.com/lists/oss-security/2019/07/06/3 Mailing List
http://www.openwall.com/lists/oss-security/2019/07/06/4 Mailing List
http://www.openwall.com/lists/oss-security/2019/10/24/1 Mailing List
http://www.openwall.com/lists/oss-security/2019/10/29/3 Mailing List
http://www.openwall.com/lists/oss-security/2024/01/31/6 Mailing List
http://www.openwall.com/lists/oss-security/2024/02/01/1 Mailing List
http://www.openwall.com/lists/oss-security/2024/02/02/3 Mailing List
http://www.securityfocus.com/bid/106976 Third Party Advisory
https://access.redhat.com/security/cve/cve-2019-5736 Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2019-002 Third Party Advisory
https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc Third Party Advisory
https://github.com/docker/docker-ce/releases/tag/v18.09.2 Release Notes
https://github.com/rancher/runc-cve Third Party Advisory
https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736 Third Party Advisory
https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E Mailing List
https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E Mailing List
https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E Mailing List
https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E Mailing List
https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E Mailing List
https://security.netapp.com/advisory/ntap-20190307-0008 Third Party Advisory
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944 Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_19_06 Third Party Advisory
https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker Third Party Advisory
https://www.openwall.com/lists/oss-security/2019/02/13/3
https://www.docker.com/blog/docker-security-update-cve-2018-5736-and-container-security-best-practices
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html 2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html 2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html 2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html 2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html 2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html 2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html 2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html 2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html 2024-02-02
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html 2024-02-02
https://access.redhat.com/errata/RHSA-2019:0303 2024-02-02
https://access.redhat.com/errata/RHSA-2019:0304 2024-02-02
https://access.redhat.com/errata/RHSA-2019:0401 2024-02-02
https://access.redhat.com/errata/RHSA-2019:0408 2024-02-02
https://access.redhat.com/errata/RHSA-2019:0975 2024-02-02
https://access.redhat.com/security/vulnerabilities/runcescape 2019-05-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP 2024-02-02
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR 2024-02-02
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W 2024-02-02
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH 2024-02-02
https://security.gentoo.org/glsa/202003-21 2024-02-02
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc 2024-02-02
https://usn.ubuntu.com/4048-1 2024-02-02
https://access.redhat.com/security/cve/CVE-2019-5736 2019-05-07
https://bugzilla.redhat.com/show_bug.cgi?id=1664908 2019-05-07
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Docker
Search vendor "Docker"
Docker
Search vendor "Docker" for product "Docker"
< 18.09.2
Search vendor "Docker" for product "Docker" and version " < 18.09.2"
-
Affected
Linuxfoundation
Search vendor "Linuxfoundation"
Runc
Search vendor "Linuxfoundation" for product "Runc"
<= 0.1.1
Search vendor "Linuxfoundation" for product "Runc" and version " <= 0.1.1"
-
Affected
Linuxfoundation
Search vendor "Linuxfoundation"
Runc
Search vendor "Linuxfoundation" for product "Runc"
1.0.0
Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"
rc1
Affected
Linuxfoundation
Search vendor "Linuxfoundation"
Runc
Search vendor "Linuxfoundation" for product "Runc"
1.0.0
Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"
rc2
Affected
Linuxfoundation
Search vendor "Linuxfoundation"
Runc
Search vendor "Linuxfoundation" for product "Runc"
1.0.0
Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"
rc3
Affected
Linuxfoundation
Search vendor "Linuxfoundation"
Runc
Search vendor "Linuxfoundation" for product "Runc"
1.0.0
Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"
rc4
Affected
Linuxfoundation
Search vendor "Linuxfoundation"
Runc
Search vendor "Linuxfoundation" for product "Runc"
1.0.0
Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"
rc5
Affected
Linuxfoundation
Search vendor "Linuxfoundation"
Runc
Search vendor "Linuxfoundation" for product "Runc"
1.0.0
Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"
rc6
Affected
Redhat
Search vendor "Redhat"
Container Development Kit
Search vendor "Redhat" for product "Container Development Kit"
3.7
Search vendor "Redhat" for product "Container Development Kit" and version "3.7"
-
Affected
Redhat
Search vendor "Redhat"
Openshift
Search vendor "Redhat" for product "Openshift"
3.4
Search vendor "Redhat" for product "Openshift" and version "3.4"
-
Affected
Redhat
Search vendor "Redhat"
Openshift
Search vendor "Redhat" for product "Openshift"
3.5
Search vendor "Redhat" for product "Openshift" and version "3.5"
-
Affected
Redhat
Search vendor "Redhat"
Openshift
Search vendor "Redhat" for product "Openshift"
3.6
Search vendor "Redhat" for product "Openshift" and version "3.6"
-
Affected
Redhat
Search vendor "Redhat"
Openshift
Search vendor "Redhat" for product "Openshift"
3.7
Search vendor "Redhat" for product "Openshift" and version "3.7"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Affected
Google
Search vendor "Google"
Kubernetes Engine
Search vendor "Google" for product "Kubernetes Engine"
--
Affected
Linuxcontainers
Search vendor "Linuxcontainers"
Lxc
Search vendor "Linuxcontainers" for product "Lxc"
< 3.2.0
Search vendor "Linuxcontainers" for product "Lxc" and version " < 3.2.0"
-
Affected
Hp
Search vendor "Hp"
Onesphere
Search vendor "Hp" for product "Onesphere"
--
Affected
Netapp
Search vendor "Netapp"
Hci Management Node
Search vendor "Netapp" for product "Hci Management Node"
--
Affected
Netapp
Search vendor "Netapp"
Solidfire
Search vendor "Netapp" for product "Solidfire"
--
Affected
Apache
Search vendor "Apache"
Mesos
Search vendor "Apache" for product "Mesos"
>= 1.4.0 < 1.4.3
Search vendor "Apache" for product "Mesos" and version " >= 1.4.0 < 1.4.3"
-
Affected
Apache
Search vendor "Apache"
Mesos
Search vendor "Apache" for product "Mesos"
>= 1.5.0 < 1.5.3
Search vendor "Apache" for product "Mesos" and version " >= 1.5.0 < 1.5.3"
-
Affected
Apache
Search vendor "Apache"
Mesos
Search vendor "Apache" for product "Mesos"
>= 1.6.0 < 1.6.2
Search vendor "Apache" for product "Mesos" and version " >= 1.6.0 < 1.6.2"
-
Affected
Apache
Search vendor "Apache"
Mesos
Search vendor "Apache" for product "Mesos"
>= 1.7.0 < 1.7.2
Search vendor "Apache" for product "Mesos" and version " >= 1.7.0 < 1.7.2"
-
Affected
Opensuse
Search vendor "Opensuse"
Backports Sle
Search vendor "Opensuse" for product "Backports Sle"
15.0
Search vendor "Opensuse" for product "Backports Sle" and version "15.0"
-
Affected
Opensuse
Search vendor "Opensuse"
Backports Sle
Search vendor "Opensuse" for product "Backports Sle"
15.0
Search vendor "Opensuse" for product "Backports Sle" and version "15.0"
sp1
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.0
Search vendor "Opensuse" for product "Leap" and version "15.0"
-
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.1
Search vendor "Opensuse" for product "Leap" and version "15.1"
-
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
42.3
Search vendor "Opensuse" for product "Leap" and version "42.3"
-
Affected
D2iq
Search vendor "D2iq"
Kubernetes Engine
Search vendor "D2iq" for product "Kubernetes Engine"
< 2.2.0-1.13.3
Search vendor "D2iq" for product "Kubernetes Engine" and version " < 2.2.0-1.13.3"
-
Affected
D2iq
Search vendor "D2iq"
Dc\/os
Search vendor "D2iq" for product "Dc\/os"
< 1.10.10
Search vendor "D2iq" for product "Dc\/os" and version " < 1.10.10"
-
Affected
D2iq
Search vendor "D2iq"
Dc\/os
Search vendor "D2iq" for product "Dc\/os"
>= 1.10.11 < 1.11.9
Search vendor "D2iq" for product "Dc\/os" and version " >= 1.10.11 < 1.11.9"
-
Affected
D2iq
Search vendor "D2iq"
Dc\/os
Search vendor "D2iq" for product "Dc\/os"
>= 1.11.10 < 1.12.1
Search vendor "D2iq" for product "Dc\/os" and version " >= 1.11.10 < 1.12.1"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
29
Search vendor "Fedoraproject" for product "Fedora" and version "29"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
30
Search vendor "Fedoraproject" for product "Fedora" and version "30"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
19.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"
-
Affected
Microfocus
Search vendor "Microfocus"
Service Management Automation
Search vendor "Microfocus" for product "Service Management Automation"
2018.02
Search vendor "Microfocus" for product "Service Management Automation" and version "2018.02"
-
Affected
Microfocus
Search vendor "Microfocus"
Service Management Automation
Search vendor "Microfocus" for product "Service Management Automation"
2018.05
Search vendor "Microfocus" for product "Service Management Automation" and version "2018.05"
-
Affected
Microfocus
Search vendor "Microfocus"
Service Management Automation
Search vendor "Microfocus" for product "Service Management Automation"
2018.08
Search vendor "Microfocus" for product "Service Management Automation" and version "2018.08"
-
Affected
Microfocus
Search vendor "Microfocus"
Service Management Automation
Search vendor "Microfocus" for product "Service Management Automation"
2018.11
Search vendor "Microfocus" for product "Service Management Automation" and version "2018.11"
-
Affected