Think you have a false positive on this rule?

Sid 1-49195

Message

SERVER-OTHER Multiple products runc arbitrary code execution attempt

Summary

This event is generated when an attacker attempts to exploit an arbitrary code execution vulnerability in runc.

Impact

Attempted Administrator Privilege Gain

CVE-2019-5736:

CVSS base score 8.6

CVSS impact score 6.0

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

This rule checks for attempts to exploit an arbitrary code execution vulnerability in runc. CVE-2019-5736: runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Affected systems

  • docker docker 0.1.0
  • docker docker 0.1.1
  • docker docker 0.1.2
  • docker docker 0.1.3
  • docker docker 0.1.4
  • docker docker 0.1.5
  • docker docker 0.1.6
  • docker docker 0.1.7
  • docker docker 0.1.8
  • docker docker 0.2.0
  • docker docker 0.2.1
  • docker docker 0.2.2
  • docker docker 0.3.0
  • docker docker 0.3.1
  • docker docker 0.3.2
  • docker docker 0.3.3
  • docker docker 0.3.4
  • docker docker 0.4.0
  • docker docker 0.4.1
  • docker docker 0.4.2
  • docker docker 0.4.3
  • docker docker 0.4.4
  • docker docker 0.4.5
  • docker docker 0.4.6
  • docker docker 0.4.7
  • docker docker 0.4.8
  • docker docker 0.5.0
  • docker docker 0.5.1
  • docker docker 0.5.2
  • docker docker 0.5.3
  • docker docker 0.6.0
  • docker docker 0.6.1
  • docker docker 0.6.2
  • docker docker 0.6.3
  • docker docker 0.6.4
  • docker docker 0.6.5
  • docker docker 0.6.6
  • docker docker 0.6.7
  • docker docker 0.7.0
  • docker docker 0.7.1
  • docker docker 0.7.2
  • docker docker 0.7.3
  • docker docker 0.7.4
  • docker docker 0.7.5
  • docker docker 0.7.6
  • docker docker 0.8.0
  • docker docker 0.8.1
  • docker docker 0.9.0
  • docker docker 0.9.1
  • docker docker 0.10.
  • docker docker 0.11.
  • docker docker 0.12.
  • docker docker 1.0.0
  • docker docker 1.0.1
  • docker docker 1.1.0
  • docker docker 1.1.1
  • docker docker 1.1.2
  • docker docker 1.2.0
  • docker docker 1.3.0
  • docker docker 1.3.1
  • docker docker 1.3.2
  • docker docker 1.3.3
  • docker docker 1.4.0
  • docker docker 1.4.1
  • docker docker 1.5.0
  • docker docker 1.6
  • docker docker 1.6.0
  • docker docker 1.6.1
  • docker docker 1.6.2
  • docker docker 1.7.0
  • docker docker 1.7.1
  • docker docker 1.8.0
  • docker docker 1.8.1
  • docker docker 1.8.2
  • docker docker 1.8.3
  • docker docker 1.9.0
  • docker docker 1.9.1
  • docker docker 1.10.0
  • docker docker 1.10.1
  • docker docker 1.10.2
  • docker docker 1.10.3
  • docker docker 1.11.0
  • docker docker 1.11.1
  • docker docker 1.11.2
  • docker docker 1.12.0
  • docker docker 1.12.1
  • docker docker 1.12.2
  • docker docker 1.12.3
  • docker docker 1.12.4
  • docker docker 1.12.5
  • docker docker 1.12.6
  • docker docker 1.13.0
  • docker docker 1.13.1
  • google kubernetes_engine -
  • hp onesphere -
  • linuxcontainers lxc -
  • opencontainers runc 1.0
  • redhat openshift 3.4
  • redhat openshift 3.5
  • redhat openshift 3.6
  • redhat openshift 3.7
  • redhat openshift 3.9
  • redhat enterprise_linux 7.0
  • redhat enterpriselinuxserver 7.0

Ease of attack

CVE-2019-5736:

Access Vector

Access Complexity

Authentication

False positives

Not known

False negatives

Not known

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References