Root escalation bug in runc

A bug was found in the way the runc container runtime handles file descriptors when running containers. An attacker could use this bug to overwrite contents of the runc binary and run arbitrary commands on the container host with root privileges. To exploit this flaw the attacker needs to be able to run a container with a crafted image and root privileges.

runc developer Aleksa Sarai has published the security hole that has been discovered by security researchers Adam Iwaniuk and Borys Popławski. He has also written proof-of-concept exploit that will be published on the OpenWall list on Feb/18. runc is the container runtime that is used in Docker, cri-o, containerd or Kubernetes.

In addition to the Docker/runc combo the Ubuntu container software LXC is vulnerable to a similar attack. Patches for all software packages have been released.

On Red Hat or CentOS 7 distros running OpenShift or Docker the attack is mitigated when SELinux is enabled and enforcing policy.