Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Containers Can’t Fence Dirty COW Vulnerability

The Dirty COW vulnerability in the Linux kernel that was revealed late last month can’t be mitigated with the help of containers, security researchers have discovered.

The Dirty COW vulnerability in the Linux kernel that was revealed late last month can’t be mitigated with the help of containers, security researchers have discovered.

The flaw (CVE-2016-5195relies on a race condition in the kernel, between the operation that performs writes to copy-on-write (COW) memory mappings, and the one that continuously disposes of that memory. When the race condition appears, the kernel might end up writing data to read-only memory mapping, instead of making a private copy first.

Proof of concept (POC) exploit codes that leverage the vulnerability have already started to emerge, including some targeted at Android devices. These POCs revealed that one can write to read-only files, and that root access could be achieved, and even how to break out of a container.

Dirty COW VunerabilityAqua Security Software researchers explain that the available POCs focused on privilege escalation inside the container, but that it is possible to run code inside a container, from a non-root user, to write data to a “protected” file on the read-only volume the container was mounted on.

Aqua’s Sagie Dulce explains that even users with root privileges shouldn’t have write access to a mapped read-only volume in a container, let alone a non-root user. However, Dirty COW makes it possible for data on the host to be manipulated from within the container.

Next, the researchers tested their code in a container with user namespace, as a non-root user inside the container. When running with user namespace, the root user inside the container is mapped to a non-root UID (a non-privileged user) on the host. The test revealed that, even if the user in the container was non-root and it shouldn’t have root on the host, the code would still write to the “protected” file on the host.

“In conclusion, when it comes to kernel vulnerabilities, you can’t be too careful. Containers still share the same kernel, which when exploited has the potential of jeopardizing other containers or the underlying host. We saw that a simple POC, which was not meant to break out of a container, could still modify data on the host,” Aqua’s researcher notes.

Others too have discovered that containers such as Docker can’t keep systems safe from Dirty COW. Paranoid Software explains that they decided to exploit the vDSO (virtual dynamic shared object) feature in Linux, because this small shared library is automatically mapped by the kernel into the address space of all user-space applications.

A POC available on GitHub uses Dirty COW to modify the clock_gettime() function in the vDSO memory space for all callers, not just the running process. “Once the race condition is triggered, and the shellcode executes, it will send you a root shell,” Paranoid Software’s Gabriel Lawrence says. The researchers published a video demonstrating the exploit.

Advertisement. Scroll to continue reading.

“I’m particularly interested in demonstrating escaping out of Docker simply because I think many people overestimate what is required. Kernel exploits are rarer than user space escalations, but they are not without example – and understanding that even with the separation offered by the kernel features that make containers possible, it’s possible to get past them with a kernel exploit,” Lawrence notes.

Related Reading: Disrupting the Disruptor: Security of Docker Containers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.