runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

References[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected]/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/[email protected]/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/[email protected]/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/[email protected]/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/


Source: MITRE

Published: 2019-02-11

Updated: 2020-11-16

Type: CWE-78

Risk Information

CVSS v2.0

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH

CVSS v3.0

Base Score: 8.6

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Impact Score: 6

Exploitability Score: 1.8

Severity: HIGH