CVE-2019-5736 was published on February 12. It covers the runc container for Kubernetes. There is a broken function in how the containers are run with how a corrupt user can exploit cri-o. A patch is already published; however, LXC is still vulnerable. A user knowing how to exploit the code base can overwrite the host runc library and gain root access to the Linux system, and because the code is already badly written, they really don’t need to put forth much effort to cause the exploit. The exploit, based on HEAD’s design, uses a modified version of the code and breaks the original functionality of the app; when this occurs, the exploit is executed. Many vendors have asked for proof of concept, and thus the researchers have offered up the exploit code so that organizations can actually test the vulnerability. The researchers felt it was pertinent to get the fix out before doing a proof of concept, due to the ease of a method of attaching a container using a different method to the standard version of LXC and runc being implemented.
To quote the developers:
“It should be noted that upon further investigation, I’ve discovered that LXC has a similar vulnerability, and they have also pushed a similar patch which we co-developed. LXC is a bit harder to exploit, but the same fundamental flaw exists.
After some discussion with the systemd-nspawn folks, it appears that they aren’t vulnerable (because their method of attaching to a container uses a different method to LXC and runc).
I have been contacted by folks from Apache Mesos who said they were also vulnerable (I believe just using the exploit code that will be provided). It is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations before-hand.”
We suggest all customers update all versions of K8s and subscribe to the following links for the most up-to-date info: