Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-5736

CWE-78OS Command InjectionCWE-264CWE-67234 documents19 sources
Severity
8.6HIGH
EPSS
59.2%
top 1.77%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
15
Apache MesosD2iq Dc\/osD2iq Kubernetes Engine+12 more
Timeline
PublishedFeb 11
Latest updateMay 31

Description

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages15 packages

NVDlinuxcontainers/lxc< 3.2.0
NVDdocker/docker< 18.09.2
Debianrunc< 1.0.0~rc6+dfsg1-2+3
CVEListV5dockerAffected version is 1.13.1-108.git4ef4b30.el7 shipped in Red Hat Enterprise Linux 7 Extras

Also affects: Fedora 29, 30, Ubuntu Linux 16.04, 18.04, 18.10, 19.04, Enterprise Linux 8.0

Patches

Patch: azure.microsoft.comPatch: azure.microsoft.comPatch: bugzilla.suse.com

🔴Vulnerability Details

6
Kernel
fs: don't block i_writecount during exec2024-05-31
GHSA
GHSA-gxmr-w5mj-v8hh: runc through 12022-05-13
Kernel
Merge branch 'work.openat2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs2020-01-29
OSV
CVE-2019-5736: runc through 12019-02-11
CVEList
CVE-2019-5736: runc through 12019-02-11

💥Exploits & PoCs

3
Exploit-DB
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)2019-02-13
Exploit-DB
runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1)2019-02-12
Metasploit
Docker Container Escape Via runC Overwrite

📋Vendor Advisories

6
Ubuntu
Docker vulnerabilities2019-07-08
VMware
VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.2019-02-15
Cisco
Container Privilege Escalation Vulnerability Affecting Cisco Products: February 20192019-02-15
Microsoft
runc through 1.0-rc6 as used in Docker before 18.09.2 and other products allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to exec2019-02-12
Red Hat
runc: Execution of malicious containers allows for container escape and access to host filesystem2019-02-11

🕵️Threat Intelligence

6
Unit42
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances2021-09-09
Unit42
Breaking Out of rkt – 3 New Unpatched CVEs2019-05-30
Unit42
Breaking Out of rkt – 3 New Unpatched CVEs2019-05-30
Unit42
Breaking out of Docker via runC – Explaining CVE-2019-57362019-02-21
Unit42
Breaking out of Docker via runC – Explaining CVE-2019-57362019-02-21

💬Community

10
Bugzilla
CVE-2020-14298 docker: Security regression of CVE-2019-5736 due to inclusion of vulnerable runc2020-06-18
HackerOne
CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host2019-09-26
Bugzilla
CVE-2019-5736 docker-latest: runc: Execution of malicious containers allows for container escape and access to host filesystem [fedora-all]2019-02-13
Bugzilla
CVE-2019-5736 container-tools:2018.0/runc: Execution of malicious containers allows for container escape and access to host filesystem [fedora-29]2019-02-11
Bugzilla
CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem [fedora-all]2019-02-11
CVE-2019-5736 (HIGH CVSS 8.6) | runc through 1.0-rc6 | cvebase.io