Last week, Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, disclosed a serious vulnerability tracked CVE-2019-5736 affecting
The vulnerability was discovered by the security researchers Adam Iwaniuk and Borys Popławski.
Such kind of vulnerabilities could have a significant impact on an IT environment, its exploitation could potentially escape containment, impacting the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it
The flaw could affect popular cloud platforms, including AWS, Google Cloud, and several Linux distros.
The PoC exploit code for the container escape was published on GitHub, its execution requires root (
“This is a Go implementation of CVE-2019-5736, a container escape for Docker. The exploit works by overwriting and executing the host systems
“An attacker would need to get command execution inside a container and start a malicious binary which would listen. When someone (attacker or victim) uses docker exec to get into the container, this will trigger the exploit which will allow code execution as root,”
The PoC code allows a malicious container to (with minimal user interaction) to overwrite the host
The implementation ensures the system will no longer be able to run Docker containers.
The expert pointed out that there is a second scenario for the exploitation of the flaw, it involves the use of a malicious Docker image that triggers the exploit, without requiring to exec into the container.
Default configurations of Red Hat Enterprise Linux and Red Hat OpenShift are protected, Linux distros Debian and Ubuntu are working to address the issue. Both Google Cloud and AWS published security advisories to recommend customers to update containers on affected services.
VMware also confirmed that its products are impacted, and released patches to address the vulnerability in VMware Integrated OpenStack with Kubernetes (VIO-K), VMware PKS (PKS), VMware vCloud Director Container Service Extension (CSE), and vSphere Integrated Containers (VIC).
“VMware product updates resolve mishandled file descriptor vulnerability in