高危 RUNC < 1.0-RC6 /PROC/SELF/EXE 远程代码执行漏洞
CVE编号
CVE-2019-5736利用情况
EXP 已公开补丁情况
官方补丁披露时间
2019-02-12漏洞描述
Docker、containerd或者其他基于runc的容器在运行时存在安全漏洞,攻击者可以通过特定的容器镜像或者exec操作获取到宿主机runc执行时的文件句柄并修改掉runc的二进制文件,从而获取到宿主机的root执行权限。解决建议
1、新建Kubernetes1.11或1.12集群。容器服务新创建的1.11或1.12版本的Kubernetes集群已经包含修复该漏洞的Docker版本。2、升级Docker。升级已有集群的Docker到18.09.2或以上版本。该方案会导致容器和业务中断。、3、仅升级runc(针对Docker版本17.06)。详情参考:https://help.aliyun.com/document_detail/107320.html受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | apache | mesos | * | From (including) 1.4.0 | Up to (excluding) 1.4.3 | ||||
| 运行在以下环境 | |||||||||
| 应用 | apache | mesos | * | From (including) 1.5.0 | Up to (excluding) 1.5.3 | ||||
| 运行在以下环境 | |||||||||
| 应用 | apache | mesos | * | From (including) 1.6.0 | Up to (excluding) 1.6.2 | ||||
| 运行在以下环境 | |||||||||
| 应用 | apache | mesos | * | From (including) 1.7.0 | Up to (excluding) 1.7.2 | ||||
| 运行在以下环境 | |||||||||
| 应用 | docker | docker | * | Up to (excluding) 18.09.2 | |||||
| 运行在以下环境 | |||||||||
| 应用 | kubernetes_engine | - | - | ||||||
| 运行在以下环境 | |||||||||
| 应用 | hp | onesphere | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | linuxcontainers | lxc | * | Up to (excluding) 3.2.0 | |||||
| 运行在以下环境 | |||||||||
| 应用 | linuxfoundation | runc | * | Up to (including) 0.1.1 | |||||
| 运行在以下环境 | |||||||||
| 应用 | linuxfoundation | runc | 1.0.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mesosphere | kubernetes_engine | * | Up to (excluding) 2.2.0-1.13.3 | |||||
| 运行在以下环境 | |||||||||
| 应用 | microfocus | service_management_automation | 2018.02 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | microfocus | service_management_automation | 2018.05 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | microfocus | service_management_automation | 2018.08 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | microfocus | service_management_automation | 2018.11 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | netapp | hci_management_node | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | netapp | solidfire | - | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | opensuse | backports_sle | 15.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | redhat | container_development_kit | 3.7 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | redhat | openshift | 3.4 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | redhat | openshift | 3.5 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | redhat | openshift | 3.6 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | redhat | openshift | 3.7 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.10 | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.11 | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.12 | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.13 | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.14 | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.15 | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.16 | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.17 | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.18 | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.9 | flatpak | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_edge | lxc | * | Up to (excluding) 3.1.0-r1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | amazon_AMI | docker | * | Up to (excluding) 18.06.1ce-7.25.amzn1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | centos_7 | runc | * | Up to (excluding) 1.13.1-91.git07f3374.el7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | centos_8 | fuse-overlayfs-debuginfo | * | Up to (excluding) 0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | lxc | * | Up to (excluding) 1.0.0~rc6+dfsg1-2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_11 | lxc | * | Up to (excluding) 1.0.0~rc6+dfsg1-2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_12 | lxc | * | Up to (excluding) 1.0.0~rc6+dfsg1-2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_sid | lxc | * | Up to (excluding) 1.0.0~rc6+dfsg1-2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_28 | runc-debuginfo | * | Up to (excluding) 1.13.1-65.git1185cfd.fc28 | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_29 | runc-debuginfo | * | Up to (excluding) 1.13.1-65.git1185cfd.fc29 | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_30 | runc-debuginfo | * | Up to (excluding) 3.0.4-1.fc30 | |||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.0 | runc | * | Up to (excluding) 1.12.4-lp150.2.2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.1 | lxc | * | Up to (excluding) 1.12.4-lp151.2.3.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_42.3 | docker-runc | * | Up to (excluding) 1.2.2-22.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | oracle_7 | oraclelinux-release | * | Up to (excluding) 18.03.1.ol-0.0.12.el7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | oracle_8 | oraclelinux-release | * | Up to (excluding) 0.1-2.dev.gitc4e1bc5.module+el8.0.0+5215+77f672ad | |||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_7 | runc | * | Up to (excluding) 1.13.1-91.git07f3374.el7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_8 | fuse-overlayfs-debuginfo | * | Up to (excluding) 0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551 | |||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12 | containerd | * | Up to (excluding) 1.2.6-16.23 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_16.04 | docker.io | * | Up to (excluding) 1.0.0~rc2+docker1.13.1-0ubuntu1~16.04.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_16.04.7_lts | docker.io | * | Up to (excluding) 18.06.1-0ubuntu1.2~16.04.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.04 | docker.io | * | Up to (excluding) 1.0.0~rc4+dfsg1-6ubuntu0.18.04.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.04.5_lts | docker.io | * | Up to (excluding) 18.06.1-0ubuntu1.2~18.04.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.10 | docker.io | * | Up to (excluding) 8.06.1-0ubuntu1.2 | |||||
- 攻击路径 本地
- 攻击复杂度 复杂
- 权限要求 普通权限
- 影响范围 全局影响
- EXP成熟度 EXP 已公开
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 无影响
- 服务器危害 服务器失陷
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-78 | OS命令中使用的特殊元素转义处理不恰当(OS命令注入) |
Exp相关链接
- https://github.com/13paulmurith/Docker-Runc-Exploit
- https://github.com/agppp/cve-2019-5736-poc
- https://github.com/b3d3c/poc-cve-2019-5736
- https://github.com/BBRathnayaka/POC-CVE-2019-5736
- https://github.com/Billith/CVE-2019-5736-PoC
- https://github.com/chosam2/cve-2019-5736-poc
- https://github.com/epsteina16/Docker-Escape-Miner
- https://github.com/Frichetten/CVE-2019-5736-PoC
- https://github.com/GiverOfGifts/CVE-2019-5736-Custom-Runtime
- https://github.com/jakubkrawczyk/cve-2019-5736
- https://github.com/jas502n/CVE-2019-5736
- https://github.com/Lee-SungYoung/cve-2019-5736-study
- https://github.com/likescam/CVE-2019-5736
- https://github.com/likescam/cve-2019-5736-poc
- https://github.com/milloni/cve-2019-5736-exp
- https://github.com/q3k/cve-2019-5736-poc
- https://github.com/RyanNgWH/CVE-2019-5736-POC
- https://github.com/shen54/IT19172088
- https://github.com/stillan00b/CVE-2019-5736
- https://github.com/twistlock/RunC-CVE-2019-5736
- https://github.com/yyqs2008/CVE-2019-5736-PoC-2
- https://github.com/zyriuse75/CVE-2019-5736-PoC
- https://www.exploit-db.com/exploits/46359
- https://www.exploit-db.com/exploits/46369
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论