Docker, along with Kubernetes, Containerd and all the other Linux container technologies that are based on the runc runtime module are affected by CVE-2019-5736  which allows the host runc to be overwritten and consequently obtain root access on the host server.

Attackers first need to create a malicious Docker container. When this is installed on any vulnerable host, the vulnerability can be exploited with minimal user interaction.  Anyone with an unpatched Linux server should take care before installing any third-party containers where the source is not fully-trusted.  The major cloud hosting providers, such as AWS, Google and Docker have all installed the patch to mitigate the vulnerability leaving self-hosted instances the most vulnerable.

In a related event, security firm Impreva has recently published a report on the number of misconfigured Docker hosts which expose the Docker API to the Internet. The Docker API is designed to be bound to the local host (127.0.0.1) network interface to allow local users to interact with the Docker subsystem; however, several thousand Docker hosts have been indexed on the Internet with their API publicly exposed. This would enable anyone to issue commands to the Docker subsystem including the ability to load new containers and execute them.  In Impreva’s research they noticed a large number of cryptocurrency mining containers running on these exposed hosts.   A malicious actor who discovered one of these misconfigured Docker hosts (easily done using the Shodan search engine) would, if the host was unpatched against CVE-2019-5736, be able to not only mount their own arbitrary container but also obtain root access to the host server itself and use that as a beachhead to pivot into an attack against the rest of the target’s infrastructure.

Network Administrators should regularly perform External Penetration Tests against their public network IP ranges in order to identify misconfigured public interfaces, such as the Docker API as described above.