Connect with us

Hi, what are you looking for?


Cloud Security

Exploit Code Published for Recent Container Escape Vulnerability

Proof-of-concept (PoC) code is now publicly available for a recently disclosed container escape vulnerability impacting popular cloud platforms, including AWS, Google Cloud, and numerous Linux distributions.

Proof-of-concept (PoC) code is now publicly available for a recently disclosed container escape vulnerability impacting popular cloud platforms, including AWS, Google Cloud, and numerous Linux distributions.

The flaw was discovered last month in runc, a lightweight, portable container runtime used in most containers out there, including cri-o, containerd, Kubernetes, Podman, and others. Tracked as CVE-2019-5736, the vulnerability could be exploited with minimal user interaction to execute code on the host.

One week after the security flaw was publicly disclosed, a Go implementation of the container escape was published on GitHub. The exploit requires root (uid 0) inside the container to work. 

“An attacker would need to get command execution inside a container and start a malicious binary which would listen. When someone (attacker or victim) uses docker exec to get into the container, this will trigger the exploit which will allow code execution as root,” the code’s authors explain.

The implementation basically overwrites runc on the host and ensures the system will no longer be able to run Docker containers. Those willing to give it a try should first backup either /usr/bin/docker-runc or /usr/bin/runc and also check /usr/sbin

This, however, is only one of the exploitation scenarios the vulnerability makes possible. A second scenario involves the use of a malicious Docker image that triggers the exploit, without requiring to exec into the container. 

Last week, Amazon and Google confirmed their products were impacted, as did Red Hat, Debian and Ubuntu. LXC was also found affected.

Since then, VMware also confirmed that its products are impacted, and released patches to address the vulnerability in VMware Integrated OpenStack with Kubernetes (VIO-K), VMware PKS (PKS), VMware vCloud Director Container Service Extension (CSE), and vSphere Integrated Containers (VIC). 

Advertisement. Scroll to continue reading.

“VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host’s runc binary and execute arbitrary code,” VMware notes in an advisory

Cisco says it has yet to determine which of its products and cloud services are impacted by the flaw, and that it is currently investigating dozens of them. To date, the company was able to confirm a single product not impacted by the flaw, namely Cisco Metacloud. 

Related: Container Escape Flaw Hits AWS, Google Cloud, Linux Distros

Related: Misconfiguration a Top Security Concern for Containers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.