Doomsday Docker Security Hole Uncovered

An anonymous reader quotes a report from ZDNet: One of the great security fears about containers is that an attacker could infect a container with a malicious program, which could escape and attack the host system. Well, we now have a security hole that could be used by such an attack: RunC container breakout, CVE-2019-5736. RunC is the underlying container runtime for Docker, Kubernetes, and other container-dependent programs. It's an open-source command-line tool for spawning and running containers. Docker originally created it. Today, it's an Open Container Initiative (OCI) specification. It's widely used. Chance are, if you're using containers, you're running them on runC.

According to Aleksa Sarai, a SUSE container senior software engineer and a runC maintainer, security researchers Adam Iwaniuk and Borys Popawski discovered a vulnerability, which "allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root." To do this, an attacker has to place a malicious container within your system. But, this is not that difficult. Lazy sysadmins often use the first container that comes to hand without checking to see if the software within that container is what it purports to be. Red Hat technical product manager for containers, Scott McCarty, warned: "The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that's exactly what this vulnerability represents."

Containers

[110010001000]

Containers are just computer programs. I never understood the hipster fascination with it.

Re:Containers

[farble1670]

I never understood the fascination with Linux. It's just a few computer programs.

Re:Containers

Containers are primarily used by programmers trying to do an end-run around systems and security engineers who are trying to protect the programmer and the organization.

Re:Containers

[lactose99]

I never understood the fascination with computers. Its just a few abacus routines.

Re:Containers

Thank you. You said this so much better than I ever could.

Re:Containers

But...but...agility!!

Re:Containers

[ArchieBunker]

Dependencies got so convoluted that nobody could compile code from another project because it needed 100 obscure libraries. 10 of those libraries needed another handful of libraries, etc etc. Voila, problem solved.

Re:Containers

[gweihir]

Containers work for those that are insecure in the area of system administration. That they have to maintain every individual container now and an additional layer that can be attacked escapes them.

Re:Containers

[gweihir]

Hahahaha, nice! Pretty true also.

Re:Containers

[tdelaney]

Or ... they're used as lightweight virtualization doing a small set of jobs instead of heavyweight VMs that use considerably more disk space, memory and take longer to start up.

Like on my QNAP where I have multiple LXC containers that are each a VPN endpoint, routable gateway and SOCKS5 proxy.

Re:Containers

What's your alternative when you want to roll out 100,000 new machine configurations? Would you have someone walk down the cold isle swapping out the harddisks, or would you netboot and reimage? How long would that take?

You can even cause problems by using a VM - for example, in Google it's forbidden to run a non-corp maintained copy of Windows on any platform: physical or virtual. IT has a crazy idea of how to manage Windows machines though - they disable everything and refuse to hand out administrator privs for anyone. End result is all Windows machines are turkeys - they can't do anything except run Chrome (very slowly, because there's a heap of virus scanners and Bit9).

There's also hypervisor escapes with VMs. This is just a hypervisor escape of a different type - where the "hypervisor" is RunC.

Re:Containers

[crow]

It's a cross between a chroot environment and a virtual machine. For most purposes, it is a virtual machine, but by using file system overlays, the overhead per VM is much lower; almost as low as running them all in the same environment.

That's the theory, anyway.

If you're running dozens or hundreds of web servers or something like that, it's probably a good solution. If you're only running a few, there's probably no reason not to just use real VMs. Of course, for many people it's not about what's the best fit, it's about using the tool you know.

Re:Containers

[AHuxley]

So a computer and chair can be used to work on may different OS projects.
No having to get up and move to a secure computer.
It saves on computers and walking around.

Re:Containers

LOL no.
Containers are primarily used to have reproducible builds with specific versions of the build tools that you need to build whatever project it is that you are working on.

Re:Containers

Close. Containers are programmers trying to do an end run around IT, who are trying to make their jobs simultaneously both as secure and as easy as possible.

Re: Containers

Installing an entire OS to run your container services is not lightweight. Lightweight containers are directly integrated into the hypervisor.

Re: Containers

Nobody in this thread has a clue how containers work do they?

Re: Containers

[tdelaney]

Perhaps I should have said lighter-weight.

Re:Containers

[pete6677]

Because Kubernetes (K8 for those in the know) is the new hawtness, yo!

Re: Containers

True! The same developer types utilize cloud instance that are spun up outside the purview of system and security admins, and managers/data owners are none the wiser. :-|

Re: Containers

What I find surprising, is articles like this https://devops.com/docker-vs-vms/ which are horribly inaccurate. Anyone who has ever utilized VMware, for instance, knows that most of the statements about overhead and constraints (and performance) of VM's in this article, are just plain wrong (even at the time of the articles posting). I've been reading many Docker vs. VM posts lately, and I'm astonished, because it's as if no one writing the articles have ever even utilized any modern hypervisor (much less aware of their actual limitations or constraints). If you read these, you would think traditional hypervisor are cumbersome inefficient and non-performant beasts, and Docker is some sort of holy grail... It's just weird. Who's making this crap up??

Re: Containers

and cloud is just someone elses problem..I mean computer.

Re: Containers

This is /. you know O_o

Re:Containers

Or ... they're used as lightweight virtualization doing a small set of jobs instead of heavyweight VMs that use considerably more disk space, memory and take longer to start up.

Like on my QNAP where I have multiple LXC containers that are each a VPN endpoint, routable gateway and SOCKS5 proxy.

Fantastic says the infosec redteam. Multiple ways in with large attack surfaces duplicated several times over.

Developers could at least crack open a sec+ book to learn the basics before they start drilling holes in the ship.

Re: Containers

um, I think its spelled k8s, yo

Re: Containers

It just need a linux host, not virtual machine, but uses primarily namespaces and cgroups, otherwise just a regular process.

Re:Containers

[sfcat]

Containers are primarily used by programmers trying to do an end-run around systems and security engineers who are trying to protect the programmer and the organization.

That's funny. I always saw the ops folks being the ones pushing it. Or maybe they were the devops folks. Those non programmer types always change their job titles so quickly. But seriously, I've never seen a programmer push containers. I've always seen it pushed from ops or management. I've also never seen anyone happy with their container deployment...

Re: Containers

those of us who do are too busy maintaining our apps in production

Re: Containers

Google sounds worse than my university's IT department, which manages its own image for the university. It's also generally recommended to not use more than one anti-virus program because they conflict with each other, and Windows Defender is actually pretty solid.

Re: Containers

Devops = developer/software engineer + sysadmin

Re:Containers

[Opportunist]

I never understood the fascination with math. It's just a few numbers.

Re:Containers

[tdelaney]

Whilst they are a potential attack vector, they're pretty heavily locked down. Services run as nobody, these are VPN clients (not servers), no default gateway unless the VPN is up, all DNS requests except to the VPN server must be resolved over the VPN, traffic is MASQUERADEd, etc.

Re:Containers

I never understood the fascination with numbers. It's just pigment paste on pressed cellulose fibers.

Re:Containers

[DarkOx]

^^^Containers have a place.

I do something similar. I have all my home services: http proxy, dvr, file server, several web applications, router, DLNA server; etc split out into containers. Why? precisely because I DO want to be able to install updates and apply patches. Containers make that easy. As long as I get the kernel right and don't break LXC there isn't much on the host that will impact services.

I can upgrade each container (and easily revert to a btrfs snapshot of it if things go wrong) at time. I can test and resolve any issues which sadly are pretty damn common, one service at a time. Sometimes the issues are specific to the service sometime the fix is more an OS level thing that I can make a note of and apply quickly when I update the other containers. What I don't want to deal with is update everything at once or have one host filesystem and upgrade and hope nothing breaks. I don't have time to sit and test everything for 2 hours. I don't want to sit down Sunday night and find I got none of my shows recorded all week. I don't want my wife to call on Tuesday while I am at client out of state and tell me she can't surf the web.

Containers solve that problem well. Oh and they let me do it all on a little low power ARM system; good luck doing that with full VMs. The I/O alone would make it impossible. I can run all this on a couple sata-ssds without problems. I don't want to go back to some whitebox PC or old server hardware with fans roaring away stuffed in a corner somewhere either.

On the other hand a lot of people are using containers to AVOID patching and updating anything ever - and yes that is going to lead to terrible security problems. It also basically defeats any enterprise patch management and platform standards plan that might be out there. Pretty much in a commercial setting I'd say either you need a mature dev-ops organization ( IE not some guy who said hey this docker thing is cool lets toss it in) where IT Security has input or container technologies should be avoided at this stage.

 

Re: Containers

People selling Docker services.

Re:Containers

But...but...agility!!

I want to take a baseball bat to people that use that term "agile" when announcing jobs cuts... "We need to be lean and agile...yada..yada...yada...." bullshit...

Re:Containers

[BringsApples]

I never understood the fascination with numbers. They're just measurements from zero.

Re:Containers

[null+etc.]

I never understood the fascination with Linux. It's just a few computer programs

No, you're thinking of GNU/Linux.

Re:Containers

[Anil]

Not sure of how useful containers are in production, but just like VMs they are extremely useful when developing and testing software that needs to target multiple platforms, or needs to do automated testing against many supported versions.

Re: Containers

Perhaps you shouldn't have talked at all. You just made yourself look like an idiot. Talking about things we've been doing for 20 years without containers. What's old is new.

Re: Containers

LOL. A little bit of knowledge can be very dangerous. Tread lightly noob.

Re: Containers

I donâ(TM)t really see whatâ(TM)s not accurate about it. Other than perhaps pitting âoeVMs-vs-Containersâ You use containers for stateless application deployment where typically VMs hold state. No typical hypervisor can match the density of a well tuned container environment where CPU can be allocated in thousandths of cores.

Re:Containers

[angel'o'sphere]

Many programmers push for containers.

It makes it much more handy to work on a project that is developed while two or more older versions are out in the field and needs to be maintained.

It makes it also easier to simply try something out, especially if you have a repository in your organization with typical configurations. So getting an image is a few clicks or an ansible or kubernetes command.

I've also never seen anyone happy with their container deployment...
And I have never seen anyone unhappy.

Perhaps your organizations have not the maturity level to work with containers or VMs?

Re:Containers

[angel'o'sphere]

Then use a dependency manager ... there are plenty.

You don't need to use maven if you prefer to have build and dependencies separated ... take ivy and gradle, problem solved.

If you can not handle dependencies, you should not be in the software business.

Re:Containers

[angel'o'sphere]

If you have a cloud, you probably want to spin down "VMs" that you don't need at the moment. And spin up some handling a single or a few dozen requests and spin them down again.

That is 100 times faster with containers than with VMs. And you can shift your load over the real hardware much more efficient.

If you're running dozens or hundreds of web servers or something like that, it's probably a good solution.
It is not the question of "services", it is a question of requests. If you are in an elastic cloud, that gets slashdotted, and you really want to avoid losing requests, you simply spin up more and more containers.

And unlike most people her wrote above: usually you combine VMs with containers. On the real hardware you have 10 VMs and inside of the VMs 100 or more containers.

Re:IT guys

I think you're confused. "IT guys" generally aren't involved with engineering zero-days out of software. That's more of a software engineer thing. Unless your "IT guy" is a software engineer for Docker. In which case, it's strange to refer to him as an "IT guy" rather than a software engineer.

Doomsday Docker Security Hole Uncovered in RunC

[grep+-v+'.*'+*]

Wow! Y2K38 came early.

Re:Doomsday Docker Security Hole Uncovered in RunC

Y2K38 came early.

What's the point of the "K" as you use it there?

"Y2K" all on its own makes sense: it abbreviates "Year 2000", so there's some efficiency to it. "Y2K38" takes just as many characters as "Y2038", which, since you're not saving anything on the year, comes across as a bit dweebish over just saying "year 2038".

Re:Doomsday Docker Security Hole Uncovered in RunC

[Opportunist]

We're talking containers and we're saying k8s instead of kubernetes.

If this isn't telling you that we're talking hipster here, what will? So OF COURSE it's 2Y38.

Huh? What's Hipster? Well, technically, I think it's leetspeek with a beard.

They allow your software to be sloppy...

and undocumented since it runs isolated from everything else, and doesn't have to be installed
run in the same machine (virtual or physical) as other software.

Re: IT guys

I like it. You call yourself an IT guy? is a little flat compared to you call yourself a software engineer?

why Joyent exists

[epine]

The Joyent cloud features a second layer of isolation. Sometimes you see this described as "double-hulled virtualization". The OS performance penalty to achieve this is low to non-existent due to the nature of BSD zones (hardened jails).

Joyent hybrid cloud: Triton Compute Service and Triton DataCenter integration

This is precisely the scenario that Joyent's technology exists to mitigate.

You think you're running Linux containers, but under the hood you've also got zones and ZFS snapshots.

There is a resource penalty involved in using a high-integrity file system like ZFS, (efficient copy-on-write requires extensive write-buffer coalescing) but it's often not a large one compared to the many gains in administrative security and ease.

Re:why Joyent exists

Joylent green is PEOPLE!

Re:why Joyent exists

[Rysc]

You're implying that you can't get the equivalent of BSD zones on Linux and run containers inside them. You can, it's just a lot of bother.

Re:why Joyent exists

Just about every "enterprise" feature that Linux has slowly and painfully reimplemented was already done far better in illumos/Solaris. Unfortunately, sheer momentum and large companies with lots of money will win over technical superiority every time.

But docker is a particularly sad example of this.

Re: why Joyent exists

[Zemplar]

Severely underrated comment.

Re:why Joyent exists

last time i checked, you can't just "run" smartOS like you can any linux distro. you need a whole network of servers that tftp boot off each other, and i'm not going there.

Re:why Joyent exists

some people said similar things about Solaris being the new kid when Multics had been around and forgotten already too

Re:why Joyent exists

[DeVilla]

Solaris and the other UNIXes died for the same reason. They all provided roughly the same feature set in slightly incompatible ways. It made development, maintenance and administration unnecessarily difficult and error prone.

None of the vendors put sincere effort into fixing it. The GNU tools focus portability helped immensely with this. Free source tools ended up defining the only true portable standard. They gained features consistently that the others had and implemented them in ways that served the developers & user rather than an particular vendor. Eventually Linux and the FSF's tools became the best of breed UNIX without even being UNIX.

Docker is a mess because it was originally developed in a way that served the interests of Docker Inc. The single local name space of images, the poor default implement of a remote registry, the ability to only search images in dockerhub... It wasn't designed to support secure isolation. That was bolted on later and needs continual patching. There is a not-so-new love affair with BSD/MIT style licenses and "Open Core" business models. It's only bringing back the bad old days of the past.

Re:why Joyent exists

The reason that solaris and the others died is that they tried to charge money for advanced features. The industry wasn't ready for those advances and believed free linux was the same but free.

Re:why Joyent exists

[DeVilla]

It's not that Linux was the same. It's that it would inevitably acquire any of the useful features only other UNIX had minus the annoyances that come with attempts at lock-in.

Re:IT guys

[forkfail]

Damnit, Jim, I'm a Docker, not a software engineer.

Wait, wut did I just say?

Container Store

[firehawk2k]

I got a malicious container from the Container Store. I blame Marie Kondo.

overblown

yes it's bad; but it is not the first docker escape and it won't be the last

it's also funny, because of the way it works: the bug in runc allows the container to overwrite the runc binary and inherit runc's root privileges

Stateless Containers

It makes doing stateless design easier.

http://www.drdobbs.com/architecture-and-design/containers-for-development/240168801

Re:Stateless Containers

[Junta]

The reality is that it can support both.

I have seen container images that live eternally and get randomly changed and 'docker committed' and no one is comfortable knowing how to get back to that state.

To the extent I have authority to do so, I make sure that images do not stray from a specific build process that comes from the same teams that release the OS platform and do not tolerate processes that involve 'change stuff in a container and commit to capture changes'. In that scenario it is a useful tool.

The parent laments at least resemble my dread: when a project talking about downloads gives only 'docker pull', then almost universally the software is crap held together by duct tape they barely could sort out to get run once. The preceding fad was 'virtual appliance', where the same thing held: developers lacking the competency to properly design their software to work sanely in a well controlled environment. Attempts to use those software have non-trivially more frequent incidents of falling over and no one on earth able to figure out what went wrong because they never unified how the software produces debug and they spew out in random places through third-party code the vendor doesn't really understand. Also they have a tendency to have some decrepit versions of software dating back to when they first did a 'docker pull' when they started development and never bothering to refresh dependencies.

Sure, there will be examples of well maintained software and people doing the right thing in dockerhub, but there are a lot of crappy things there too. Sometimes things will look quite nice at first and then after using and configuring you quickly enter a configuration they didn't think about and poof.

Not with MY khaki dress slacks you don't!

You stay away from my comfortable Docker slacks. Don't you put no doomsday security holes in my khaki slacks! I need them for work.

Re: Not with MY khaki dress slacks you don't!

And you call yourself a software engineer

Doomsday Docker

Rule 34. Never underestimate it. Poor Superman.

Captcha: adultery

container security

Containers (the collection of Linux namespaces and cgroups) are not a strong enough security boundary to safely isolate untrusted code. They never have been, and anybody that told you otherwise is either lying or clueless. Containers are super convenient, and a great way to manage the deployment of your software, and you should use them -- Just not to protect mixed-trust workloads running on the same host from each other.

If you want to run code from sources that you don't trust, isolate it in a separate VM. If you want to use container-like workflows and orchestration systems to manage your VMs, use something like Kata Containers (https://katacontainers.io/).

Re:container security

It's not a strong enough security boundary, but it damn well *should* have been. There's no problem doing this in FreeBSD and Solaris without paying a hardware virtualization performance tax. Frankly, the Linux community should be embarrassed that such a fundamental system facility was implemented in a botched and useless manner.

Re:container security

Then docker itself is lying:
"Containers and virtual machines have similar resource isolation and allocation benefits. [] Containers are more portable and efficient"
https://www.docker.com/resources/what-container

Re:container security

If you have mixed trust, you should really separate the physical hardware (storage, processing, and networking) in the various zones of trust.
If you have a VM with untrusted code, there are still exploits that can escape that VM. Even ignoring that, since it is physically on the same network hardware it could mount a network based attack on adjacent VMs without compromising the hypervisor itself.
Toss a modern hardware-based network firewall between the zones and monitor it.

Re:container security

[thereddaikon]

Yeah this is exactly the kind of stuff that Spectre and Meltdown etc make scary. VM's on the same hardware are not isolated anymore until you can replace your VM host with hardware that isn't susceptible.

Re:container security

It's bitztream the autism-hating, custom EpiPen-hating, Musk-hating, Qualcomm-hating, Firefox tabs-hating, Slashdot editors-hating Slashdot troll!

Re:IT guys

I want that docking kind of love. Like penis in the foreskin kind of love.

Re: IT guys

âoechance areâ??!

Geez, doesnt anyone proofread this crap?

Docker does not isolate

Docker is not about isolation, just ease of standing up an environment. If you want to have the security of isolating a Docker container from the host or other containers for that matter, you need to use a VM or BSD jails. I have services that ran execute arbitrary code, but they run as locked down users. Yet people have Docker running as root. This is just asking for trouble. Docker gives no guarantees about security, yet it runs as root and is expected to run whatever is inside of a container.

Docker is only about convenience, not security. Any security it so happens to have is arbitrary.

Re:IT guys

This is what we pay our IT guy an arm and a leg to prevent.

Where are you? I only get paid a hand and wrist, a full arm in itself would be awesome, PLUS a leg?! Sign me up!

Re:IT guys

I want that docking kind of love. Like penis in the foreskin kind of love.

That's called masturbation. You've had too much of that already

Re: IT guys

âoechance areâ??!

Geez, doesnt anyone proofread this crap?

Apparently you don't..

This AC Gets It

It's not a strong enough security boundary, but it damn well *should* have been. There's no problem doing this in FreeBSD and Solaris without paying a hardware virtualization performance tax. Frankly, the Linux community should be embarrassed that such a fundamental system facility was implemented in a botched and useless manner.

This is SO true. But the Docker crowd are too into new shiny to realize how utterly clueless they are and what a shambles the security posture is. 90% of the containers I see are running as fucking root!

It is literally as bad as Windows where every ISV requires local Administrator permissions just to run their ball-achingly bad calculator app.

So?

[BitztreamNotARealNam]

How's life in the hypocrite lane?