A new vulnerability (CVE-2019-5736)[1] in the runc binary was disclosed, which is found in the docker and runc packages in many Linux distributions. The disclosure for this vulnerability[2] details how a malicious container can escape its sandbox and execute arbitrary commands on the host.

Fedora hosts aren’t protected by the default SELinux or AppArmor policies in linux. Other linux distributions like Red Hat Enterprise Linux (RHEL)[3] can mitigate this vulnerability if SELinux is set to ‘enforcing’ mode. In addition, this vulnerability is also mitigated so long as the host’s root account isn’t mapped into the malicious container’s namespace.

Also as a clarification, the exploit doesn’t require the container to have the “--privileged” option set, but it does require the ability to run a process as host uid 0, which is the same for containers that don’t use namespaces.

Applying the latest OS security patches on your container host will mitigate this vulnerability. Docker has also released an update to address this vulnerability[4]. Amazon[5] has released an advisory for AWS users interested in updates as well.

A list of Nessus plugins to identify these vulnerabilities will appear here[6] as they’re released.

[1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736

[2]https://seclists.org/oss-sec/2019/q1/119

[3]https://access.redhat.com/security/cve/cve-2019-5736

[4]https://github.com/docker/docker-ce/releases

[5]https://aws.amazon.com/security/security-bulletins/AWS-2019-002/

[6]https://www.tenable.com/plugins/search?q=%22CVE-2019-5736%22&sort=&page=1