Privilege Escalation Affecting github.com/opencontainers/runc/libcontainer package, versions <1.0.0-rc91
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMOPENCONTAINERSRUNCLIBCONTAINER-575144
- published 2 Jul 2020
- disclosed 2 Jul 2020
- credit cyphar
How to fix?
Upgrade github.com/opencontainers/runc/libcontainer to version 1.0.0-rc91 or higher.
Overview
github.com/opencontainers/runc/libcontainer is a package for a modern container runtime.
Affected versions of this package are vulnerable to Privilege Escalation. runc's implementation of the linux.resources.devices list was a black-list by default. This means that users who created their own config.json objects and didn't prefix a deny-all rule ({"allow": false, "permissions": "rwm"} or equivalent) were not provided protection by the devices cgroup. This would allow malicious containers (with sufficient privileges) to create arbitrary device inodes (assuming they have CAP_MKNOD) and operate on any device inodes they may have access to (assuming they have regular Unix DAC permissions).
However, most (if not all) programs that make use of runc include this deny-all rule. This was most likely added before the specification mandated a white-list of devices, and the fact that all programs wrote their own deny-all rule obscured the existence of this bug for several years. In fact, even the specification's examples include a default deny-all rule! We therefore believe that while this is a security bug (and has been fixed as such), it was almost certainly not exploitable in the wild due to the inclusion of default deny-all rules by all known users of runc -- hence why this advisory has low severity.