s a recently disclosed serious vulnerability affecting runC, the default container runtime for Docker, containerd, Podman, and CRI-O.
It allows an attacker-controlled rogue or compromised container running with elevated privileges to escape the container’s sandbox and take over the host machine with root level privileges.
When a host machine can be taken over by an attacker, standard techniques can be used to escalate the compromise to other machines in the cloud or on-premise data center, for example to gain access to sensitive information and exfiltrate it.
The vulnerable Docker runtime container is a fundamental building block in cloud environments and data centers using Docker and Kubernetes. Therefore, the vulnerability also affects related services, products and open source projects, like managed Kubernetes services by cloud providers and Linux distribution that include Docker support.
The vulnerability in the container runtime was fixed, and security teams should upgrade their environment according to the announcements made by the vendors and developers. See for example announcements by: Google
However, as any infrastructure upgrade takes time for massive adoption, this security vulnerability may still be successfully abused for quite some time. Security teams should keep a look out for behavioural changes in their cloud environments that may show that a compromise initiated, for example, using CVE-2019-5736, is in progress. Security tools should help administrators observe, identify and notify significant changes in access patterns to databases in the data center or unexpected connections to external endpoints that may be an attacker’s command and control.
This is where a product like Alcide’s Microservices Firewall
can help security teams to find, investigate and mediate compromised workloads and machines in the cloud environment.
Taking a high level view, it would be interesting to see if this vulnerability forebodes that this year will show an increased focus on cyber attacks on cloud environments in general and the Kubernetes/Docker ecosystem in particular.
Nitzan Niv is the Head of Security Research at Alcide.