Vulnerability Details : CVE-2019-5736

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Published 2019-02-11 19:29:00

Updated 2021-12-16 18:38:05

Source MITRE

View at NVD, CVE.org

At least one public exploit which can be used to exploit this vulnerability exists!

Exploit prediction scoring system (EPSS) score for CVE-2019-5736

Probability of exploitation activity in the next 30 days: 0.31%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 66 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2019-5736

Docker Container Escape Via runC Overwrite

Disclosure Date : 2019-01-01

exploit/linux/local/docker_runc_escape

This module leverages a flaw in `runc` to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the `runc` binary with the payload and wait for someone to use `docker exec` to get into the container. This will trigger the payload execution. Note that executing this exploit carries important risks regarding the Docker installation integrity on the target and inside the container ('Side Effects' section in the documentation).

More information

CVSS scores for CVE-2019-5736

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	[email protected]
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.6	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	1.8	6.0	[email protected]
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-5736

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: [email protected] (Primary)

References for CVE-2019-5736

https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706@%3Cuser.mesos.apache.org%3E

Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/

Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0401

Third Party Advisory
http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html

Exploit;Third Party Advisory;VDB Entry
https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E

Mailing List;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4048-1/

Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/[email protected]/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/

Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://www.exploit-db.com/exploits/46369/

Exploit;Third Party Advisory;VDB Entry
https://access.redhat.com/security/cve/cve-2019-5736

Third Party Advisory
https://github.com/q3k/cve-2019-5736-poc

Exploit;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html

Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:0975

Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0304

Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/07/06/4

Mailing List;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202003-21

Third Party Advisory

CVEs referencing this url
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html

Exploit;Mitigation;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html

Mailing List;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0303

Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2019-002/

Third Party Advisory
https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/

Patch;Third Party Advisory;Vendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/

Third Party Advisory
https://www.exploit-db.com/exploits/46359/

Exploit;Third Party Advisory;VDB Entry
https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003

Exploit;Patch;Third Party Advisory
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944

Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/

Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/03/23/1

Mailing List;Third Party Advisory
https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc

Third Party Advisory
https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/

Third Party Advisory
http://www.securityfocus.com/bid/106976

Third Party Advisory;VDB Entry
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E

Mailing List;Third Party Advisory

CVEs referencing this url
https://brauner.github.io/2019/02/12/privileged-containers.html

Exploit;Technical Description;Third Party Advisory
https://github.com/rancher/runc-cve

Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc

Third Party Advisory
https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46@%3Cdev.dlab.apache.org%3E

Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/10/29/3

Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587@%3Cdev.dlab.apache.org%3E

Mailing List;Third Party Advisory
https://access.redhat.com/security/vulnerabilities/runcescape

Third Party Advisory

CVEs referencing this url
https://www.synology.com/security/advisory/Synology_SA_19_06

Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0408

Third Party Advisory
https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d

Patch;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html

Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html

Mailing List;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2019/07/06/3

Mailing List;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html

Mailing List;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/Frichetten/CVE-2019-5736-PoC

Exploit;Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/06/28/2

Mailing List;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2019/10/24/1

Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b

Patch;Third Party Advisory
http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html

Third Party Advisory;VDB Entry
https://bugzilla.suse.com/show_bug.cgi?id=1121967

Issue Tracking;Patch;Third Party Advisory
https://security.netapp.com/advisory/ntap-20190307-0008/

Third Party Advisory
https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e@%3Cdev.dlab.apache.org%3E

Mailing List;Third Party Advisory
https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

Third Party Advisory
https://github.com/docker/docker-ce/releases/tag/v18.09.2

Release Notes;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html

Mailing List;Third Party Advisory

CVEs referencing this url
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_us

Permissions Required
https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3@%3Cdev.dlab.apache.org%3E

Mailing List;Third Party Advisory
https://www.openwall.com/lists/oss-security/2019/02/11/2

Mailing List;Patch;Third Party Advisory
https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/

Patch;Third Party Advisory;Vendor Advisory

Products affected by CVE-2019-5736

HP » Onesphere » Version: N/A
cpe:2.3:a:hp:onesphere:-:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift » Version: 3.6
cpe:2.3:a:redhat:openshift:3.6:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift » Version: 3.7
cpe:2.3:a:redhat:openshift:3.7:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift » Version: 3.4
cpe:2.3:a:redhat:openshift:3.4:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift » Version: 3.5
cpe:2.3:a:redhat:openshift:3.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Container Development Kit » Version: 3.7
cpe:2.3:a:redhat:container_development_kit:3.7:*:*:*:*:*:*:*
Matching versions
Apache » Mesos
Versions from including (>=) 1.4.0 and before (<) 1.4.3
cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*
Matching versions
Apache » Mesos
Versions from including (>=) 1.5.0 and before (<) 1.5.3
cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*
Matching versions
Apache » Mesos
Versions from including (>=) 1.7.0 and before (<) 1.7.2
cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*
Matching versions
Apache » Mesos
Versions from including (>=) 1.6.0 and before (<) 1.6.2
cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*
Matching versions
Microfocus » Service Management Automation » Version: 2018.02
cpe:2.3:a:microfocus:service_management_automation:2018.02:*:*:*:*:*:*:*
Matching versions
Microfocus » Service Management Automation » Version: 2018.05
cpe:2.3:a:microfocus:service_management_automation:2018.05:*:*:*:*:*:*:*
Matching versions
Microfocus » Service Management Automation » Version: 2018.08
cpe:2.3:a:microfocus:service_management_automation:2018.08:*:*:*:*:*:*:*
Matching versions
Microfocus » Service Management Automation » Version: 2018.11
cpe:2.3:a:microfocus:service_management_automation:2018.11:*:*:*:*:*:*:*
Matching versions
Google » Kubernetes Engine » Version: N/A
cpe:2.3:a:google:kubernetes_engine:-:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.10
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 19.04
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 29
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 30
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 42.3
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.0
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Opensuse » Backports Sle » Version: 15.0
cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*
Matching versions
Opensuse » Backports Sle » Version: 15.0 Update SP1
cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
Matching versions
Netapp » Hci Management Node » Version: N/A
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
Matching versions
Netapp » Solidfire » Version: N/A
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
Matching versions
Linuxfoundation » Runc
Versions up to, including, (<=) 0.1.1
cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*
Matching versions
Linuxfoundation » Runc » Version: 1.0.0 Update RC6
cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*
Matching versions
Linuxfoundation » Runc » Version: 1.0.0 Update RC1
cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*
Matching versions
Linuxfoundation » Runc » Version: 1.0.0 Update RC5
cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*
Matching versions
Linuxfoundation » Runc » Version: 1.0.0 Update RC4
cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*
Matching versions
Linuxfoundation » Runc » Version: 1.0.0 Update RC3
cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*
Matching versions
Linuxfoundation » Runc » Version: 1.0.0 Update RC2
cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*
Matching versions
Linuxcontainers » LXC
Versions before (<) 3.2.0
cpe:2.3:a:linuxcontainers:lxc:*:*:*:*:*:*:*:*
Matching versions
Docker » Docker
Versions before (<) 18.09.2
cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*
Matching versions
D2iq » Kubernetes Engine
Versions before (<) 2.2.0-1.13.3
cpe:2.3:a:d2iq:kubernetes_engine:*:*:*:*:*:*:*:*
Matching versions
D2iq » Dc/os
Versions from including (>=) 1.11.10 and before (<) 1.12.1
cpe:2.3:o:d2iq:dc\/os:*:*:*:*:*:*:*:*
Matching versions
D2iq » Dc/os
Versions from including (>=) 1.10.11 and before (<) 1.11.9
cpe:2.3:o:d2iq:dc\/os:*:*:*:*:*:*:*:*
Matching versions
D2iq » Dc/os
Versions before (<) 1.10.10
cpe:2.3:o:d2iq:dc\/os:*:*:*:*:*:*:*:*
Matching versions