oss-sec mailing list archives
Re: CVE-2019-5736: runc container breakout exploit code
From: EJ Campbell <ejc3 () verizonmedia com>
Date: Wed, 13 Feb 2019 02:41:48 -0800
That should have been +i, sorry. Thank you for your quick response. EJ On Wed, Feb 13, 2019 at 1:58 AM Aleksa Sarai <cyphar () cyphar com> wrote:
On 2019-02-13, Aleksa Sarai <cyphar () cyphar com> wrote:On 2019-02-13, EJ Campbell <ejc3 () verizonmedia com> wrote:While fixing docker / runc is clearly the right fix, would usingchattr -ion runc be a quick mitigation for the issue? I believe that willpreventthe file from being overwritten by the exploit and Etienne Stalmans verified that it helped: https://twitter.com/_staaldraad/status/1095354945073754112The privileged user in the container could just un-set the immutable bit using "/proc/self/fd/..." and then open it for writing. A read-only filesystem would work much better.Sorry, I forgot that CAP_LINUX_IMMUTABLE is dropped by default in Docker. Yes that mitigation would also work. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Current thread:
- CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)