CVE-2019-5736
HIGHCVSS 8.6/10EPSS 98.57%
Last modified
CVE-2019-5736 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.. EPSS estimates a 98.57% chance of exploitation in the next 30 days.
Description
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Docker | Docker | < 18.09.2 | — |
| Linuxfoundation | Runc | <= 0.1.1 | — |
| Linuxfoundation | Runc | 1.0.0 | Rc1 |
| Redhat | Container Development Kit | 3.7 | — |
| Redhat | Openshift | 3.4 | — |
| Redhat | Openshift | 3.5 | — |
| Redhat | Openshift | 3.6 | — |
| Redhat | Openshift | 3.7 | — |
| Redhat | Enterprise Linux | 8.0 | — |
| Redhat | Enterprise Linux Server | 7.0 | — |
| Kubernetes Engine | All versions | — | |
| Linuxcontainers | Lxc | < 3.2.0 | — |
| Hp | Onesphere | All versions | — |
| Netapp | Hci Management Node | All versions | — |
| Netapp | Solidfire | All versions | — |
| Apache | Mesos | >= 1.4.0, < 1.4.3 | — |
| Apache | Mesos | >= 1.5.0, < 1.5.3 | — |
| Apache | Mesos | >= 1.6.0, < 1.6.2 | — |
| Apache | Mesos | >= 1.7.0, < 1.7.2 | — |
| Opensuse | Backports Sle | 15.0 | — |
| Opensuse | Leap | 15.0 | — |
| Opensuse | Leap | 15.1 | — |
| Opensuse | Leap | 42.3 | — |
| D2iq | Kubernetes Engine | < 2.2.0-1.13.3 | — |
| D2iq | Dc\/Os | < 1.10.10 | — |
| D2iq | Dc\/Os | >= 1.10.11, < 1.11.9 | — |
| D2iq | Dc\/Os | >= 1.11.10, < 1.12.1 | — |
| Fedoraproject | Fedora | 29 | — |
| Fedoraproject | Fedora | 30 | — |
| Canonical | Ubuntu Linux | 16.04 | — |
| Canonical | Ubuntu Linux | 18.04 | — |
| Canonical | Ubuntu Linux | 18.10 | — |
| Canonical | Ubuntu Linux | 19.04 | — |
| Microfocus | Service Management Automation | 2018.02 | — |
| Microfocus | Service Management Automation | 2018.05 | — |
| Microfocus | Service Management Automation | 2018.08 | — |
| Microfocus | Service Management Automation | 2018.11 | — |
References
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.htmlMailing List, Third Party Advisory
- http://packetstormsecurity.com/files/163339/Docker-Container-Escape.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.htmlThird Party Advisory, VDB Entry
- http://www.openwall.com/lists/oss-security/2019/03/23/1Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/06/28/2Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/07/06/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/07/06/4Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/10/24/1Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/10/29/3Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/106976Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2019:0303Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0304Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0401Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0408Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0975Third Party Advisory
- https://access.redhat.com/security/cve/cve-2019-5736Third Party Advisory
- https://access.redhat.com/security/vulnerabilities/runcescapeThird Party Advisory
- https://aws.amazon.com/security/security-bulletins/AWS-2019-002/Third Party Advisory
- https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/Patch, Third Party Advisory, Vendor Advisory
- https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/Patch, Third Party Advisory, Vendor Advisory
- https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.htmlExploit, Mitigation, Third Party Advisory
- https://brauner.github.io/2019/02/12/privileged-containers.htmlExploit, Technical Description, Third Party Advisory
- https://bugzilla.suse.com/show_bug.cgi?id=1121967Issue Tracking, Patch, Third Party Advisory
- https://github.com/Frichetten/CVE-2019-5736-PoCExploit, Third Party Advisory
- https://github.com/docker/docker-ce/releases/tag/v18.09.2Release Notes, Third Party Advisory
- https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558bPatch, Third Party Advisory
- https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40dPatch, Third Party Advisory
- https://github.com/q3k/cve-2019-5736-pocExploit, Third Party Advisory
- https://github.com/rancher/runc-cveThird Party Advisory
- https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/Third Party Advisory
- https://security.gentoo.org/glsa/202003-21Third Party Advisory
- https://security.netapp.com/advisory/ntap-20190307-0008/Third Party Advisory
- https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003Exploit, Patch, Third Party Advisory
- https://usn.ubuntu.com/4048-1/Third Party Advisory
- https://www.exploit-db.com/exploits/46359/Exploit, Third Party Advisory, VDB Entry
- https://www.exploit-db.com/exploits/46369/Exploit, Third Party Advisory, VDB Entry
- https://www.openwall.com/lists/oss-security/2019/02/11/2Mailing List, Patch, Third Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_06Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.htmlMailing List, Third Party Advisory
- http://packetstormsecurity.com/files/163339/Docker-Container-Escape.htmlExploit, Third Party Advisory, VDB Entry
- http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.htmlThird Party Advisory, VDB Entry
- http://www.openwall.com/lists/oss-security/2019/03/23/1Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/06/28/2Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/07/06/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/07/06/4Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/10/24/1Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/10/29/3Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/106976Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2019:0303Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0304Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0401Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0408Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:0975Third Party Advisory
- https://access.redhat.com/security/cve/cve-2019-5736Third Party Advisory
- https://access.redhat.com/security/vulnerabilities/runcescapeThird Party Advisory
- https://aws.amazon.com/security/security-bulletins/AWS-2019-002/Third Party Advisory
- https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/Patch, Third Party Advisory, Vendor Advisory
- https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/Patch, Third Party Advisory, Vendor Advisory
- https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.htmlExploit, Mitigation, Third Party Advisory
- https://brauner.github.io/2019/02/12/privileged-containers.htmlExploit, Technical Description, Third Party Advisory
- https://bugzilla.suse.com/show_bug.cgi?id=1121967Issue Tracking, Patch, Third Party Advisory
- https://github.com/Frichetten/CVE-2019-5736-PoCExploit, Third Party Advisory
- https://github.com/docker/docker-ce/releases/tag/v18.09.2Release Notes, Third Party Advisory
- https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558bPatch, Third Party Advisory
- https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40dPatch, Third Party Advisory
- https://github.com/q3k/cve-2019-5736-pocExploit, Third Party Advisory
- https://github.com/rancher/runc-cveThird Party Advisory
- https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/Third Party Advisory
- https://security.gentoo.org/glsa/202003-21Third Party Advisory
- https://security.netapp.com/advisory/ntap-20190307-0008/Third Party Advisory
- https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003Exploit, Patch, Third Party Advisory
- https://usn.ubuntu.com/4048-1/Third Party Advisory
- https://www.exploit-db.com/exploits/46359/Exploit, Third Party Advisory, VDB Entry
- https://www.exploit-db.com/exploits/46369/Exploit, Third Party Advisory, VDB Entry
- https://www.openwall.com/lists/oss-security/2019/02/11/2Mailing List, Patch, Third Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_06Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-5736?
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
How severe is CVE-2019-5736?
CVE-2019-5736 has a CVSS score of 8.6/10 (HIGH severity). The EPSS model estimates a 98.57% probability of exploitation in the next 30 days.
How do I fix CVE-2019-5736?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2019-5736?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST