It has been reported that a security vulnerability in Docker and Kubernetes containers can be used to go after any host system running containers. The vulnerability allows malicious containers to overwrite the host and gain root-level code execution on the host machine.
Tim Mackey, Technical Evangelist at Synopsys:
“With the disclosure of CVE-2019-5736, the topic of container security and how malicious actors could breakout from a containerised application is headline news. While providers of container services like Amazon, Google, IBM and Microsoft will directly address the underlying vulnerability, any organisation embracing containerised applications should take this as an opportunity to look at how they manage their applications independent of their chosen provider.
The first step is to recognise that containerised applications are different in structure from a traditional application. The contents of the “container image” are often constructed from “base images” which provide core services and libraries which is then combined with custom code to create the containerised application. This means the security of that application is a function of both the custom code and the contents of the base image. Without an appropriate understanding of the composition of a base image, any security issues in the base become potential issues in the final application. The net result being that should malicious or exploitable code form part of the base, then the risk of application compromise goes up when a container breakout vulnerability occurs. To protect against this, organisations should only trust base images which have been audited for security issues and should only launch images from trusted sources.
The second step is to contain the impact of a container breakout. Successful exploitation of any container breakout can result in both malicious access to data present in other containers as well as an opportunity to start malicious containers. Container orchestration systems have an explicit inventory of what should be running which then can be compared with what’s actually running. Any discrepancy found should then be investigated as a potential beachhead for future attacks.”