Hybrid Cloud Security
Data Center & Virtualization
Security Fit for DevOps
Solutions for Security Teams
Advanced Threat Protection
Endpoint & Gateway Suites
SaaS Application Security
Endpoint Detection & Response
Point of Sale
All Products and Trials
Centralized Visibility & Investigation
Global Threat Intelligence
Connected Threat Defense
Breaking News & Intelligence
Simply Security Blog
Security Intelligence Blog
UK Security Blog
Education & Certification
Glossary of Terms
Research & Reports
The Deep Web
Internet of Things (IoT)
Zero Day Initiative (ZDI)
Login to Support
Virus & Threat Help
Renewals & Registration
Free Cleanup Tools
Find a Support Partner
Pre-Sales Technical Advice
For popular products:
Find a Partner (Reseller, CSP, MSP)
Become a Partner (Reseller, Integrator)
All Alliance Partners
Customer Success Stories
Corporate Social Responsibility
Diversity & Inclusion
Internet Safety and Cybersecurity Education
Find a Partner
1-877-218-7353(M-F 8-5 CST)
Learn of upcoming events
Social Media Networks
+44 (0) 203 549 3300
The initial part of the attack involves enumerating the running processes in order to search for a running runC process. In a production environment, this means an attacker has access to an existing container, allowing software deployment and giving the attacker the ability to execute scripts inside a running container. Access can be obtained either through the exploitation of another vulnerability or a misconfiguration issue, or by owning a container inside a vulnerable environment.
This is followed by accessing the file descriptor using O_PATH flags:
After obtaining a valid file descriptor, it opens another file descriptor using O_WRONLY flags:
After successfully acquiring the fd2/second file descriptor, an attacker tries to write the payload; this is done in a loop.
To trigger this vulnerability, an attacker must be able to execute a binary within a container in a manner that results in spawning and terminating runC. This action allows an attacker to overwrite the runC binary.
To execute a payload, an attacker will rewrite the executed binary (eg. /bin/sh) inside a container by using a shell script #!/proc/self/exe. This will result in the execution of a modified runC binary payload.
Various vendors have already released patches and recommendations for CVE-2019-5736. An update from AWS and Docker also addresses the flaw.
This runC vulnerability illustrates how containers have to strike a balance between efficiency and security. However, setting up security measures early in the development pipeline can prevent greater security costs and additional work.
To protect container machines from vulnerabilities such as CVE-2019-5736, we recommend that organizations implement the following best practices:
The following Trend Micro Deep Security Integrity Monitoring rule detects changes to any binaries in the /usr/bin and /usr/sbin directories:
Due to the uniqueness of this exploit , we recommend that administrators implement scheduled and/or on-demand Integrity Monitoring scans.
In addition, Deep Security File Integrity Monitoring and Application Control provide out-of-the-box visibility for this malicious activity targeting a container host. If used in lockdown mode, this application control would prevent the execution of this malicious attack.
Like it? Add this infographic to your site:1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.