runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
[
{
"signature_type": "Line",
"digest": {
"line_hashes": [
"206209469052802163709281360376397312675",
"48219882597669953983429687793407620753",
"213043235157353488768314210772726520178",
"251821556443359960608428361047721063429",
"93222659505421272286403399172694346479",
"107309039482126281655838517999257961732"
],
"threshold": 0.9
},
"source": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b",
"target": {
"file": "libcontainer/nsenter/nsexec.c"
},
"id": "CVE-2019-5736-1cffac28",
"signature_version": "v1",
"deprecated": false
},
{
"signature_type": "Function",
"digest": {
"length": 6892.0,
"function_hash": "43249958159973239119332662430070161949"
},
"source": "https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b",
"target": {
"function": "nsexec",
"file": "libcontainer/nsenter/nsexec.c"
},
"id": "CVE-2019-5736-c45baaa5",
"signature_version": "v1",
"deprecated": false
}
]