Researchers of CyberArk have been into creating a proof of concept attack which employs adversaries to bypass the security of the container, escape the container and completely compromise the host system. However, the attack scenario is limited, in that a successful attack depends on unpatched vulnerabilities to be present in the host system.
Nimrod Stoler, a cyber security researcher with CyberArk said,
“With about 20 lines of code and a few small tweaks to an exploit, we have created a way to jump a contain and attack the underlying host.”
Outlined in the research which was made public on Monday, CyberArk talked about how a Linux privilege escalation vulnerability (CVE-2017-7308) which exists on a host system could be exploited. This attack scenario consists of an adversary which infects the website which is running inside a container. After the website is compromised, the hacker can easily make use of the proof-of-concept technique of CyberArk to break containment and cause trouble for the host.
Lavi Lazarovitz said,
“In our proof-of-concept attack, the Docker containers’ defense-in-depth strategy temporarily stopped us from escaping to the underlying host. But we expanded the exploit’s payload to include code that manipulated the container’s namespaces and eventually breaking containment.”
The firm, Docker has employed several security measures so as to protect a kernel which will be shared by the container and host and its supporting namespaces and groups. Namespaces is an important feature in the Linux kernel which provides a layer of isolation for containers. Cgroups allow the engine to share hardware sources like memory.
CyberArk described in a write-up which was published earlier this week,
“The exploit finishes by calling the setns syscall, which changes the current process’s namespaces into process 1’s and the host’s namespaces, practically tearing down the namespace walls between container and host and accomplishing a full escape to host.”
Docker, the firm which is behind the virtualization program which designs containers, said,
“Any host system which isn’t fully patched and running containers may become infected no matter the security provisions of the container.”
“Containers don’t help if the kernel is broken. As is the case with any software, if you haven’t installed security updates for two years, you will be vulnerable.”
Nimrod Stoler said,
“We think that there is more to do to allow better isolation between the container and their hosts.”
According to the report, the proof of concept code of CyberArk can be applied in future as vulnerability has been found in the Linux kernel which can escape the environment of containers.