Deep-Seated Container Vulnerability Found, Corrected - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
08:00 AM
Connect Directly

Deep-Seated Container Vulnerability Found, Corrected

Researchers at SUSE and Docker turned up a previously unknown vulnerability in container operations and issued a patch.

A vulnerability in container operations has been brought to light by Docker and other parties and illustrates why lack of multiple years of experience with containers makes some implementers cautious. A command to execute the RunC part of the Linux kernel under rare but exploitable circumstances can result in a container process getting a chance to inspect file descriptors on the host.

In the hands of the wrong party, such information available to malevolent code hidden in the container could result in file descriptors on the host system being disclosed or the container itself escaping from its assigned memory space into the host's operations. Since many containers run under the root privilege, such an escape would unleash an intruder into the heart of the host server, a circumstance those running containers in production hope at all costs to avoid.

The vulnerability affects Docker, which issued a patch on Jan. 10. But bloggers at Aqua Security, a firm established by security veterans of Intel, CA Technologies and Imperva, said the vulnerability would be found in non-Docker container systems that make use of the Open Containers Initiative's standard RunC code.

Credit: Pixabay
Credit: Pixabay

The distributors of Arch, a minimal Linux product, rated the vulnerability as "high" on this listing. Cloud Foundry, the open source development platform, listed it as "medium" for its members because it had already included protections against this type of vulnerability inside its Garden container system.

To see why your future almost certainly includes container operations, read Bain: Is Container Use Optional? Probably Not.

The vulnerability was most likely to be implemented with the use of ptrace, or Process Trace, a Linux system call that allows one process to control another, warned bloggers at Red Hat and CoreOS. Under certain circumstances, when RunC implements ptrace, "This allows the main processes of the gain access to file-descriptors of these new processes during the initialization and lead to container escapes…" said Alex Crawford at CoreOS in a blog posted Jan. 10.

The vulnerability was given the designation CVE-2016-9962 on the list of Common Vulnerabilities and Exposures maintained by the Department of Homeland Security. The designation, however, is linked to little information about the defect. Bugzilla labeled it bug 1012568.

Container experts at Aqua Security, a firm formed from security specialists at Intel, CA Technologies and Imperva (previously known as Scalock), said the vulnerability doesn't affect just Docker users but any user of RunC, as established by the Open Container Initiative.

In a blog posted Jan. 17 entitled CVE-2016-9962: Run Container, Run! Aqua Security senior researcher Sagie Dulce said the window for mischief "is very small." It occurs when a RunC initialization process executes a command inside the container when the container also has access to the RunC process on the host.

"This window could enable a container, for example, to list file descriptors on the host process, which can then lead it to the host’s file system. Because many containers run as root, this indeed has serious implications," he wrote in the blog.

The exposure is more pernicious because it occurs so close to many other operations on the host. If a container administrator thinks something might be wrong with a container, he might run a Linux shell inside the container to understand the issue. "If that container is malicious, the process of running that shell could enable it to escape to the host," he warned.

After such an escape, there would be little sign that anything was amiss. "The container can return to normal behavior and you can go back to doing whatever it is your were doing… but oblivious to the exploit that just took place," he said.

Software engineers Aleksa Sarai at SUSE working with Tonis Tiigi at Docker discovered and documented  the bug and came up with the patch.

The fact that those most concerned about secure operations made the find is unlikely to totally settle the remaining doubts about container operations. IT managers are responsible for the privacy and security of information that may one day be flowing through containerized systems presumed secure but experiencing a not yet disclosed vulnerability. It will take many more years of secure operations before containers, running under a shared operating system and in a shared memory space with only logical boundaries between them, will be 100% trusted.


Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
1/23/2017 | 5:50:52 PM
Why automated updates may be in your IT future
I had the chance to ask CoreOS CEO Alex Polvi how his firm patched the version of Docker that gets distributed about a million times a month via CoreOS' Container Linux. He said when the Docker patch became available Jan. 10, his firm immediately started the automatic update process for the stable version of Container Linux and the beta and alpha versions as well. Not all customers choose to use the automatic update process. Those that do have countered a major security bug within a few hours of the availability of the patch, he said. "We were able to go out and fix a significant chunk of the Web," he said.

InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll