Vulnerabilities > CVE-2016-9962 - Race Condition vulnerability in Docker

047910
CVSS 6.4 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
docker
CWE-362
nessus

Summary

RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-DBC2B618EB.NASL
    descriptionFix [CVE-2016-9962] Insecure opening of file-descriptor allows privilege Fix BZ#1412148 - containerd: container did not start before the specified timeout ---- use container-selinux >= 2:2.0-2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-13
    plugin id96469
    published2017-01-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96469
    titleFedora 25 : 2:docker (2017-dbc2b618eb)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0127.NASL
    descriptionAn update for runc is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime. Security Fix(es) : * The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception. (CVE-2016-9962) Red Hat would like to thank the Docker project for reporting this issue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id96598
    published2017-01-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96598
    titleRHEL 7 : runc (RHSA-2017:0127)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3511.NASL
    descriptionDescription of changes: docker-engine [1.12.6-1.0.1] - Enable configuration of Docker daemon via sysconfig [orabug 21804877] - Require UEK4 for docker 1.9 [orabug 22235639 22235645] - Add docker.conf for prelink [orabug 25147708] [1.12.6] - the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or - a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive - Backup the current version of the unit file, and replace the file with the - Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present - Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present). - Fix runC privilege escalation (CVE-2016-9962) [1.12.5] - the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or - a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive - Backup the current version of the unit file, and replace the file with the - Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present - Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present). - Fix race on sending stdin close event [#29424](https://github.com/docker/docker/pull/29424) - Fix panic in docker network ls when a network was created with --ipv6 and no ipv6 --subnet in older docker versions [#29416](https://github.com/docker/docker/pull/29416) - Fix compilation on Darwin [#29370](https://github.com/docker/docker/pull/29370) [1.12.4] - the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or - a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive - Backup the current version of the unit file, and replace the file with the - Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present - Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present). - Fix issue where volume metadata was not removed [#29083](https://github.com/docker/docker/pull/29083) - Asynchronously close streams to prevent holding container lock [#29050](https://github.com/docker/docker/pull/29050) - Fix selinux labels for newly created container volumes [#29050](https://github.com/docker/docker/pull/29050) - Remove hostname validation [#28990](https://github.com/docker/docker/pull/28990) - Fix deadlocks caused by IO races [#29095](https://github.com/docker/docker/pull/29095) [#29141](https://github.com/docker/docker/pull/29141) - Return an empty stats if the container is restarting [#29150](https://github.com/docker/docker/pull/29150) - Fix volume store locking [#29151](https://github.com/docker/docker/pull/29151) - Ensure consistent status code in API [#29150](https://github.com/docker/docker/pull/29150) - Fix incorrect opaque directory permission in overlay2 [#29093](https://github.com/docker/docker/pull/29093) - Detect plugin content and error out on docker pull [#29297](https://github.com/docker/docker/pull/29297) - Update Swarmkit [#29047](https://github.com/docker/docker/pull/29047) - orchestrator/global: Fix deadlock on updates [docker/swarmkit#1760](https://github.com/docker/swarmkit/pull/1760) - on leader switchover preserve the vxlan id for existing networks [docker/swarmkit#1773](https://github.com/docker/swarmkit/pull/1773) - Refuse swarm spec not named
    last seen2020-06-01
    modified2020-06-02
    plugin id96589
    published2017-01-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96589
    titleOracle Linux 6 / 7 : docker-engine / docker-engine-selinux (ELSA-2017-3511)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-C2C2D1BE16.NASL
    descriptionFix CVE-2016-9962 - Insecure opening of file-descriptor allows privilege escalation ---- built docker @projectatomic/docker-1.12 commit 6009905 ---- built docker @projectatomic/docker-1.12 commit 97974ae ---- built docker @projectatomic/docker-1.12 commit 7b5044b Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-23
    plugin id96678
    published2017-01-23
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96678
    titleFedora 24 : 2:docker-latest (2017-c2c2d1be16)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-34.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-34 (runC: Privilege escalation) A vulnerability was discovered in runC that allows additional container processes via ‘runc exec’ to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes. Impact : An attacker, who is able to successfully escape the container or modify runC’s state before process initialization, could escalate privileges. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96475
    published2017-01-13
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96475
    titleGLSA-201701-34 : runC: Privilege escalation
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-FCD02E2C2D.NASL
    descriptionFix CVE-2016-9962 - Insecure opening of file-descriptor allows privilege escalation ---- built docker @projectatomic/docker-1.12 commit 6009905 ---- built docker @projectatomic/docker-1.12 commit 97974ae ---- built docker @projectatomic/docker-1.12 commit 7b5044b Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-16
    plugin id96509
    published2017-01-16
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96509
    titleFedora 25 : 2:docker-latest (2017-fcd02e2c2d)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-20CDB2063A.NASL
    descriptionV1.0 final release ---- bump runc commit ---- Update to latest release candidate Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-01
    plugin id102086
    published2017-08-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102086
    titleFedora 25 : 1:runc (2017-20cdb2063a)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0123.NASL
    descriptionAn update for docker-latest is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Docker is an open source engine that automates the deployment of any application as a lightweight, portable, and self-sufficient container that will run virtually anywhere. The following packages have been upgraded to a newer upstream version: docker-latest (1.12.5). (BZ#1404309) Security Fix(es) : * The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception. (CVE-2016-9962) Red Hat would like to thank the Docker project for reporting this issue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the original reporters.
    last seen2020-06-01
    modified2020-06-02
    plugin id96597
    published2017-01-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96597
    titleRHEL 7 : docker-latest (RHSA-2017:0123)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-783.NASL
    descriptionIt was discovered that runC allowed additional container processes via `runc exec` to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file descriptors of these new processes during the initialization, which can lead to container escapes or modification of runC state before the process is fully placed inside the container.
    last seen2020-06-01
    modified2020-06-02
    plugin id96394
    published2017-01-11
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96394
    titleAmazon Linux AMI : docker (ALAS-2017-783)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-181.NASL
    descriptionThis update for - containerd, - docker to version 1.12.6 and - runc fixes several issues. This security issues was fixed : - CVE-2016-9962: container escape vulnerability (bsc#1012568). Thsese non-security issues were fixed : - boo#1019251: Add a delay when starting docker service - Fixed bash-completion - boo#1015661: add the /usr/bin/docker-run symlink For additional details please see the changelog.
    last seen2020-06-05
    modified2017-02-01
    plugin id96918
    published2017-02-01
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96918
    titleopenSUSE Security Update : containerd / docker / runc (openSUSE-2017-181)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-0200646669.NASL
    descriptionResolves: #1412238 - *CVE-2016-9962* - set init processes as non-dumpable, ---- patch to enable seccomp ---- bump to 1.0.0 rc2 ---- Resolves: #1342707 - bump to v1.0.0-rc1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-19
    plugin id96616
    published2017-01-19
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96616
    titleFedora 25 : 1:runc (2017-0200646669)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0116.NASL
    descriptionAn update for docker is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Docker is an open source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. The following packages have been upgraded to a newer upstream version: docker (1.12.5). (BZ#1404298) Security Fix(es) : * The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception. (CVE-2016-9962) Red Hat would like to thank the Docker project for reporting this issue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the original reporters. Bug Fix(es) : * The docker containers and images did not read proxy variables from the environment when contacting registries. As a consequence, a user could not pull image when the system was configured to use a proxy. The containers and images have been fixed to read proxy variables from the environment, and pulling images now from a system with a proxy works correctly. (BZ# 1393816) * Occasionally the docker-storage-setup service could start before a thin pool is ready which caused it to failed. As a consequence, the docker daemon also failed. This bug has been fixed and now docker-storage-setup waits for a thin pool to be created for 60 seconds. This default time can be configured. As a result, docker and docker-storage-setup start correctly upon reboot. (BZ#1316786) * Previously, the docker daemon
    last seen2020-06-01
    modified2020-06-02
    plugin id96596
    published2017-01-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96596
    titleRHEL 7 : docker (RHSA-2017:0116)

Redhat

advisories
  • rhsa
    idRHSA-2017:0116
  • rhsa
    idRHSA-2017:0123
  • rhsa
    idRHSA-2017:0127
rpms
  • container-selinux-2:1.12.5-14.el7
  • docker-2:1.12.5-14.el7
  • docker-client-2:1.12.5-14.el7
  • docker-common-2:1.12.5-14.el7
  • docker-logrotate-2:1.12.5-14.el7
  • docker-lvm-plugin-2:1.12.5-14.el7
  • docker-novolume-plugin-2:1.12.5-14.el7
  • docker-rhel-push-plugin-2:1.12.5-14.el7
  • docker-v1.10-migrator-2:1.12.5-14.el7
  • docker-client-latest-0:1.12.5-14.el7
  • docker-latest-0:1.12.5-14.el7
  • docker-latest-logrotate-0:1.12.5-14.el7
  • docker-latest-v1.10-migrator-0:1.12.5-14.el7
  • runc-0:1.0.0-1.rc2.el7

References