runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
{ "vanir_signatures": [ { "id": "CVE-2019-5736-1cffac28", "source": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "206209469052802163709281360376397312675", "48219882597669953983429687793407620753", "213043235157353488768314210772726520178", "251821556443359960608428361047721063429", "93222659505421272286403399172694346479", "107309039482126281655838517999257961732" ] }, "target": { "file": "libcontainer/nsenter/nsexec.c" } }, { "id": "CVE-2019-5736-c45baaa5", "source": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "length": 6892.0, "function_hash": "43249958159973239119332662430070161949" }, "target": { "file": "libcontainer/nsenter/nsexec.c", "function": "nsexec" } } ] }