CVE-2019-5736

high-risk

Published 2019-02-11

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Do I need to act?

59.2% chance of exploitation in next 30 days

EPSS score — higher than 41% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

2 public exploits available

46359, 46369

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.6/10 High

LOCAL / LOW complexity

Affected Products (20)

Docker

Runc

Container Development Kit

Openshift

Enterprise Linux

Enterprise Linux Server

Kubernetes Engine

Lxc

Onesphere

Hci Management Node

Solidfire

Affected Vendors

Hp Redhat Apache Microfocus Google Canonical Fedoraproject Netapp Opensuse Linuxfoundation Linuxcontainers Docker D2Iq

References (132)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html

Exploit http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html

Third Party Advisory http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-...

Mailing List http://www.openwall.com/lists/oss-security/2019/03/23/1

Mailing List http://www.openwall.com/lists/oss-security/2019/06/28/2

Mailing List http://www.openwall.com/lists/oss-security/2019/07/06/3

Mailing List http://www.openwall.com/lists/oss-security/2019/07/06/4

Mailing List http://www.openwall.com/lists/oss-security/2019/10/24/1

Mailing List http://www.openwall.com/lists/oss-security/2019/10/29/3

http://www.openwall.com/lists/oss-security/2024/01/31/6

http://www.openwall.com/lists/oss-security/2024/02/01/1

and 112 more references

/ 100

high-risk

Severity 26/34 · High

Exploitability 18/34 · Moderate

Exposure 24/34 · High