Containers, Orchestration, Docker, Kubernetes; We hear about this technology more and more every day.
Use of containers and containerization became a natural choice by modern organizations from small startup to big enterprises.
It requires adjustment of processes and approaches all environments development, testing and production benefitting them with agile and continues deployment.
But along with these benefits, as an organization we also need to ensure that our containers configured in a secured way and are up to date.
A few days ago a new vulnerability was discovered in Docker runc component (CVE-2019-5736).
By exploiting this vulnerability a malicious adversary could use a misconfigured container to escalate privileges on the host system and execute arbitrary commands.
The PoC exploit was released on github https://github.com/feexd/pocs/tree/master/CVE-2019-5736 . If you would like to test it on your environment, beware that this exploit will override runc on host system.
Main lessons learned:
1. Defense-in-depth is important.
Deploying other mitigations such as running containers as non-root, user namespace mappings and SELinux can mitigate this issue.
2. Patching is important.
Organizations must be able to have robust and automated patching mechanisms. Alternatively, run serverless and don’t need to patch hosts. (i.e. ECS Fargate, etc.)
3. Container doesn’t necessarily offers complete separation.
Don’t run mix workloads from different customers (i.e. organizations) or different sensitivity content (public vs sensitive internal apps) on the same host.
We at Comsec can help to your organization to identify security-misconfigured containers and advise on how to properly make them secure.