Researchers at CyberArk have created a proof-of-concept attack that allows adversaries to bypass container security, escape the container and compromise an entire host system. However, the attack scenario is limited, in that a successful attack depends on unpatched vulnerabilities to be present in the host system.
CyberArk, which is presenting research here at the RSA Conference on Thursday, said their technique works with a raft of exploits. “With about 20 lines of code and a few small tweaks to an exploit, we have created a way to jump a contain and attack the underlying host,” said Nimrod Stoler, a cyber security researcher with CyberArk.
Outlined in research disclosed on Monday, CyberArk describes how a Linux privilege escalation vulnerability (CVE-2017-7308) that exists on a host system could be exploited. The attack scenario includes an adversary infecting a website running inside a container. Once the website is compromised, the hacker can use the CyberArk proof-of-concept technique to break containment and infect the host. From there, the criminal owns the environment and can either pillage other co-hosted containers or try to move laterally within a corporate network, said CyberArk security researcher Lavi Lazarovitz.
“In our proof-of-concept attack, the Docker containers’ defense-in-depth strategy temporarily stopped us from escaping to the underlying host. But, we expanded the exploit’s payload to include code that manipulated the container’s namespaces and eventually breaking containment,” Lazarovitz said.
Docker containers employ a number of security measures to protect a kernel shared by the container and host and its supporting namespaces and cgroups. Namespaces are a core feature in the Linux kernel that provide a layer of isolation for containers. Cgroups (or control groups) allow the Docker engine to share hardware resources such as memory.
The CyberArk proof-of-concept attack involved first overwriting a container’s namespace (process 1) with the host’s namespaces. “The exploit finishes by calling the setns syscall, which changes the current process’s namespaces into process 1’s and the host’s namespaces, practically tearing down the namespace walls between container and host and accomplishing a full escape to host,” CyberArk describes in a technical write-up to be published later this week.
Docker, the company behind the virtualization program that creates containers, said any host system that isn’t fully patched and running containers may become infected – no matter the security provisions of the container.
“Containers don’t help if the kernel is broken. As is the case with any software, if you haven’t installed security updates for two years, you will be vulnerable,” Docker said in a statement to Threatpost.
CyberArk’s researchers agree, to a point. Researchers point out that the highlighted proof-of-concept vulnerability (CVE-2017-7308) is one of many that can be easily adapted, with 20 lines of code, to escape a container and attack a vulnerable host.
“We think that there is more to do to allow better isolation between container and their hosts,” Stoler told Threatpost. According to the report CyberArk’s proof-of-concept code can be used in any future privilege escalation vulnerability found in the Linux kernel to escape a containerized environment.
Last month, Docker patched a container-escape bug (CVE-2019-5736) found by researcher Adam Iwaniuk tied to a flaw in runC, a container management tool. In January, CyberArk hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system.
For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.