A runtime used to support Docker and Linux container engines suffered a vulnerability the past few days. An attack could consequently compromise the entire infrastructure
Polish researchers Adam Iwaniuk et al discovered vulnerability CVE-2019-5736. They found it was possible for hackers to gain access out of sandboxes and root access on host servers. Examining potential attacks coming from a process inside a container or a docker image, they successfully executed code at admin level through both vectors. RunC also runs CRI-O Podman. Podman is the secure process of running groups of containers. As a result, this expands the platforms vulnerable to attacks.
What the attack entails
By overwriting a binary in the container with a symbolic link such as exec, the binary executes. After that, the runtime executes the symbolic link to itself. An attacker then uses a file descriptor to overwrite the file. As it cannot overwrite whilst running, it is only successful when the runC process exits. Hackers cannot attack remotely but can gain access to services running on the server through a single privileged Docker image. This is a cause for concern for the industry indicating organisations should take action to prevent itself from receiving such attacks.
Based on past attacks the maritime sector may be affected
The shipping industry is the third to last industry to receive cyberattacks. There are many reasons as to why this is, one being the initial low dependency on technology. However, as with other sectors reliance on computer networks rose significantly. Now it is an industry highly exposed to cyber attacks such as ransomware for financial gain and to cause destruction. The sector suffered attacks in 2017 with the NotPetya attack destroying the computer network of Danish container firm Maersk. Consequently, it affected operations worth $300m. July 2018 saw similar events happen with China Ocean Shipping Company (COSO), where a ransomware attack changed its internet connections. The unpreparedness of the industry is what was identified as a general weakness across the world.
The researchers stated there is a high possibility most container runtimes are vulnerable to this flaw. Since the researcher reported the vulnerability. Amazon Web Services (AWS) has since issued patches for its runC platforms.
Is there a POC exploit?
Yes there is, you can find it HERE