Containers pose serious security and compliance risks. Check out our interview with Dirk Hohndel – VP, Chief Open Source Officer, in which he warned us about such security risks. To make matters worse, there is a known vulnerability in one of the core components of Docker containers – runC.
RunC is a container runtime, which is responsible for spawning and running containers. The tool was created by Docker Inc. and then donated to the Linux Foundation’s OCI project. There are many other container runtime projects, such as Kata Container runtime and LXC. But RunC is the most popular one, which is also used by Kubernetes.
According to Aleksa Sarai, a runC maintainer, “The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runC binary and thus gain root-level code execution on the host.”
“This vulnerability makes it possible for a malicious actor that has created a specially-crafted container image to gain administrative privileges on the host. Docker engineering worked with runC maintainers on the OCI to issue a patch for this vulnerability,” said Banjot Chanana – Vice President of Product – Docker, Inc, said.
Well, you may dismiss the threat stating that it’s not like Windows XP where people are installing random containers, these are IT professionals who know what they are doing. No true. You can be pulling a container image from a public repository which may have compromised components. You have zero control over the dependencies of that container. You are screwed!
So, it’s more likely that a sysadmin will spin a compromised container than a Windows XP user will install a malicious app. Hohndel has actually warned against some of the ‘best practices’ of the container world. And if we pay attention to what he has to say, we may minimize the risks of any such vulnerability.
At the same Chanana does have some advice to users. First and foremost, he suggests using official container images curated by Docker hosted on Docker Hub. “Docker sponsors a dedicated team that is responsible for reviewing and publishing all content in the Official Images. This team works in collaboration with upstream software maintainers, security experts, and the broader Docker community to ensure the security of these images,” explained Chanana. “You can also use Docker Enterprise users that follow security best practices and run trusted code based on Docker Certified images can be assured that their software images.”
You can also pay attention to what Hohndel suggests – take full control of what’s in the containers that you spin. In a nutshell, contains are not different than binaries that you install on your system if you don’t know what’s inside; you are at risk.
It’s about time we rethink container security.