AWS Issues Alert for Multiple Container Systems

Written by

A security issue that affects several open source container management systems, including Amazon Linux and Amazon Elastic Container Service, has been disclosed by AWS.

The vulnerability (CVE-2019-5736) was reportedly discovered by security researchers Adam Iwaniuk, Borys Poplawski and Aleksa Sarai and would allow an attacker with minimal user interaction to “overwrite the host runc binary and thus gain root-level code execution on the host.”

Also among the affected AWS containers are the service for Kubernetes (Amazon EKS), Fargate, IoT Greengrass, Batch, Elastic Beanstalk, Cloud 9, SageMaker, RoboMaker and Deep Learning AMI. In its security issue notice published 11 February, AWS said that no customer action is required for those containers not on the list.

Though blocked when correctly using user namespaces, the vulnerability is not blocked by the default AppArmor policy or the default SELinux policy of Fedora [++], according to Sarai.

A common type of container exploit, this vulnerability is known as a host breakout attack, according to Praveen Jain, chief technology officer at Cavirin. “That these still occur, and will continue to occur, is all the more reason to ensure you have the people, processes and technical controls in place to identify and immediately remediate these types of vulnerabilities with a goal of securing their cyber posture.”

If malicious actors were to leverage this vulnerability, Sarai said they could create a new container using attacker-controlled images or attach to an existing container to which the attacker had previous write access.

“This is the first major container vulnerability we have seen in a while and it further enforces the need for visibility of your hosts and containers both in the cloud and traditional data centers using docker and other containers,” said Dan Hubbard, chief product officer at Lacework.

“Security here starts with deep visibility into who is installing containers and what are their behaviors and, of course, timely patching.”

What’s hot on Infosecurity Magazine?