ASA-2019-00316 – rkt: Processes run with `rkt enter` are not limited by cgroups during stage 2


Allele Security Alert

ASA-2019-00316

Identifier(s)

ASA-2019-00316, CVE-2019-10147

Title

Processes run with `rkt enter` are not limited by cgroups during stage 2

Vendor(s)

CoreOS

Product(s)

rkt

Affected version(s)

Unknown

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

A flaw was found where rkt does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are not limited by cgroups during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources.

Technical details

Unknown

Credits

Yuval Avrahami (Twistlock)

Reference(s)

Breaking Out of rkt – 3 New Unpatched CVEs
https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/

Bug 1714434 (CVE-2019-10147) – CVE-2019-10147 rkt: processes run with `rkt enter` are not limited by cgroups during stage 2
https://bugzilla.redhat.com/show_bug.cgi?id=1714434

Escaping like a Rocket via rkt enter
https://capsule8.com/blog/escaping-like-a-rocket-via-rkt-enter/

rkt enter lacks isolation features #3998
https://github.com/rkt/rkt/issues/3998

CVE-2019-10147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10147

CVE-2019-10147
https://nvd.nist.gov/vuln/detail/CVE-2019-10147

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 7, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.