Unpatched vulnerabilities found in the rkt container runtime can be exploited by an attacker to escape the container and gain root access to the host.
The flaws can be exploited to compromise the host when a user executes the ‘rkt enter’ command (which is the equivalent of ‘docker exec’) into an attacker-controlled pod, Yuval Avrahami, a security researcher at Twistlock, explains.
An open source container runtime and a CNCF incubating project created by CoreOS, rkt is widely appreciated. The runtime’s basic unit of execution is a pod, which includes multiple containers running in a shared context, the researcher explains.
At the moment, the project no longer appears to be under active development, following the acquisition of CoreOS by RedHat in mid-2018. Although an open source project, rkt does not appear to have many contributors.
The ‘rkt enter’ command, the researcher notes, allows users to execute binaries in a running container. Such binaries run as root, with all capabilities and no seccomp filtering or cgroup isolation applied, being only restricted by namespaces.
Because of that, it is possible to escape the container, and this is what the discovered vulnerabilities allow for, Avrahami explains.
The flaws are tracked as CVE-2019-10144 (processes run with `rkt enter` are given all capabilities during stage 2), CVE-2019-10145 (processes run with `rkt enter` do not have seccomp filtering during stage 2), and CVE-2019-10147 (processes run with `rkt enter` are not limited by cgroups during stage 2).
To exploit the bugs, an attacker requires root access to the container. Thus, when the user runs the ‘rkt enter’ command, the attacker can overwrite binaries an ..
Support the originator by clicking the read the rest link below.
