HIGH
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Weakness: DEPRECATED: Containment Errors (Container Errors)
This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.
Published: 2019-02-11
Vulnerable Products
- Lxc
- Dc\/Os
- Docker
- Openshift
- Enterprise Linux Server
- Kubernetes Engine
- Enterprise Linux
- Leap
- Fedora
- Runc
- Kubernetes Engine
- Onesphere
- Element Software Management
- Mesos
Community Advisory
CVE-2019-5736 Exploits (24)
- twistlock/RunC-CVE-2019-5736 ( 55)
- epsteina16/Docker-Escape-Miner ( 1)
- GiverOfGifts/CVE-2019-5736-Custom-Runtime ( 1)
- Lee-SungYoung/cve-2019-5736-study
- RyanNgWH/CVE-2019-5736-POC
- agppp/cve-2019-5736-poc
- b3d3c/poc-cve-2019-5736
- chosam2/cve-2019-5736-poc
- jakubkrawczyk/cve-2019-5736
- jas502n/CVE-2019-5736
Show all exploits (+14):
- likescam/CVE-2019-5736
- likescam/cve-2019-5736-poc
- BBRathnayaka/POC-CVE-2019-5736
- q3k/cve-2019-5736-poc
- shen54/IT19172088
- stillan00b/CVE-2019-5736
- yyqs2008/CVE-2019-5736-PoC-2
- 46359
- 46369
- zyriuse75/CVE-2019-5736-PoC
- 13paulmurith/Docker-Runc-Exploit
- milloni/cve-2019-5736-exp
- Billith/CVE-2019-5736-PoC
- Frichetten/CVE-2019-5736-PoC
Bug Bounty
The Internet: CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host
submitted by adam_iwaniuk about 2 years ago
publicly disclosed over 1 year ago
50m-ctf: CTF write-up: c8889970d9fb722066f31e804e351993
submitted by ret2jazzy almost 2 years ago
publicly disclosed almost 2 years ago
50m-ctf: $50 million CTF Writeup
submitted by manoelt almost 2 years ago
publicly disclosed almost 2 years ago
Official CVE References
View references (61)
- opensuse.org/opensuse-security-announce/2019-03/msg00044.html
- opensuse.org/opensuse-security-announce/2019-04/msg00074.html
- opensuse.org/opensuse-security-announce/2019-04/msg00091.html
- opensuse.org/opensuse-security-announce/2019-05/msg00060.html
- opensuse.org/opensuse-security-announce/2019-05/msg00073.html
- opensuse.org/opensuse-security-announce/2019-06/msg00011.html
- opensuse.org/opensuse-security-announce/2019-06/msg00015.html
- opensuse.org/opensuse-security-announce/2019-08/msg00084.html
- opensuse.org/opensuse-security-announce/2019-10/msg00007.html
- opensuse.org/opensuse-security-announce/2019-10/msg00029.html
- openwall.com/lists/oss-security/2019/03/23/1
- openwall.com/lists/oss-security/2019/06/28/2
- openwall.com/lists/oss-security/2019/07/06/3
- openwall.com/lists/oss-security/2019/07/06/4
- openwall.com/lists/oss-security/2019/10/24/1
- openwall.com/lists/oss-security/2019/10/29/3
- securityfocus.com/bid/106976
- redhat.com/errata/RHSA-2019:0303
- redhat.com/errata/RHSA-2019:0304
- redhat.com/errata/RHSA-2019:0401
- redhat.com/errata/RHSA-2019:0408
- redhat.com/errata/RHSA-2019:0975
- redhat.com/security/cve/cve-2019-5736
- redhat.com/security/vulnerabilities/runcescape
- amazon.com/security/security-bulletins/AWS-2019-002/
- microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/
- microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/
- dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
- github.io/2019/02/12/privileged-containers.html
- suse.com/show_bug.cgi
- google.com/kubernetes-engine/docs/security-bulletins
- docker/docker-ce/releases/tag/v18.09.2
- Frichetten/CVE-2019-5736-PoC
- opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
- opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d
- q3k/cve-2019-5736-poc
- rancher/runc-cve
- kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/
- apache.org/thread.html/[email protected]%3Cdev.dlab.apache.org%3E
- apache.org/thread.html/[email protected]%3Cuser.mesos.apache.org%3E
- apache.org/thread.html/[email protected]%3Cdev.dlab.apache.org%3E
- apache.org/thread.html/[email protected]%3Cdev.dlab.apache.org%3E
- apache.org/thread.html/[email protected]%3Cdev.mesos.apache.org%3E
- apache.org/thread.html/[email protected]%3Cdev.dlab.apache.org%3E
- apache.org/thread.html/[email protected]%3Cissues.geode.apache.org%3E
- fedoraproject.org/archives/list/[email protected]/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/
- fedoraproject.org/archives/list/[email protected]/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/
- fedoraproject.org/archives/list/[email protected]/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/
- fedoraproject.org/archives/list/[email protected]/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/
- gentoo.org/glsa/202003-21
- netapp.com/advisory/ntap-20190307-0008/
- softwaregrp.com/document/-/facetsearch/document/KM03410944
- hpe.com/hpsc/doc/public/display
- mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003
- cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc
- ubuntu.com/4048-1/
- 46359
- 46369
- openwall.com/lists/oss-security/2019/02/11/2
- synology.com/security/advisory/Synology_SA_19_06
- twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/