Vulnerabilities > CVE-2016-9962 - Race Condition vulnerability in Docker
Attack vector
LOCAL Attack complexity
HIGH Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 21 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-DBC2B618EB.NASL description Fix [CVE-2016-9962] Insecure opening of file-descriptor allows privilege Fix BZ#1412148 - containerd: container did not start before the specified timeout ---- use container-selinux >= 2:2.0-2 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-13 plugin id 96469 published 2017-01-13 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96469 title Fedora 25 : 2:docker (2017-dbc2b618eb) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0127.NASL description An update for runc is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime. Security Fix(es) : * The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception. (CVE-2016-9962) Red Hat would like to thank the Docker project for reporting this issue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the original reporters. last seen 2020-06-01 modified 2020-06-02 plugin id 96598 published 2017-01-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96598 title RHEL 7 : runc (RHSA-2017:0127) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-3511.NASL description Description of changes: docker-engine [1.12.6-1.0.1] - Enable configuration of Docker daemon via sysconfig [orabug 21804877] - Require UEK4 for docker 1.9 [orabug 22235639 22235645] - Add docker.conf for prelink [orabug 25147708] [1.12.6] - the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or - a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive - Backup the current version of the unit file, and replace the file with the - Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present - Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present). - Fix runC privilege escalation (CVE-2016-9962) [1.12.5] - the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or - a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive - Backup the current version of the unit file, and replace the file with the - Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present - Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present). - Fix race on sending stdin close event [#29424](https://github.com/docker/docker/pull/29424) - Fix panic in docker network ls when a network was created with --ipv6 and no ipv6 --subnet in older docker versions [#29416](https://github.com/docker/docker/pull/29416) - Fix compilation on Darwin [#29370](https://github.com/docker/docker/pull/29370) [1.12.4] - the systemd unit file (/usr/lib/systemd/system/docker.service) contains local changes, or - a systemd drop-in file is present, and contains -H fd:// in the ExecStart directive - Backup the current version of the unit file, and replace the file with the - Remove the Requires=docker.socket directive from the /usr/lib/systemd/system/docker.service file if present - Remove -H fd:// from the ExecStart directive (both in the main unit file, and in any drop-in files present). - Fix issue where volume metadata was not removed [#29083](https://github.com/docker/docker/pull/29083) - Asynchronously close streams to prevent holding container lock [#29050](https://github.com/docker/docker/pull/29050) - Fix selinux labels for newly created container volumes [#29050](https://github.com/docker/docker/pull/29050) - Remove hostname validation [#28990](https://github.com/docker/docker/pull/28990) - Fix deadlocks caused by IO races [#29095](https://github.com/docker/docker/pull/29095) [#29141](https://github.com/docker/docker/pull/29141) - Return an empty stats if the container is restarting [#29150](https://github.com/docker/docker/pull/29150) - Fix volume store locking [#29151](https://github.com/docker/docker/pull/29151) - Ensure consistent status code in API [#29150](https://github.com/docker/docker/pull/29150) - Fix incorrect opaque directory permission in overlay2 [#29093](https://github.com/docker/docker/pull/29093) - Detect plugin content and error out on docker pull [#29297](https://github.com/docker/docker/pull/29297) - Update Swarmkit [#29047](https://github.com/docker/docker/pull/29047) - orchestrator/global: Fix deadlock on updates [docker/swarmkit#1760](https://github.com/docker/swarmkit/pull/1760) - on leader switchover preserve the vxlan id for existing networks [docker/swarmkit#1773](https://github.com/docker/swarmkit/pull/1773) - Refuse swarm spec not named last seen 2020-06-01 modified 2020-06-02 plugin id 96589 published 2017-01-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96589 title Oracle Linux 6 / 7 : docker-engine / docker-engine-selinux (ELSA-2017-3511) NASL family Fedora Local Security Checks NASL id FEDORA_2017-C2C2D1BE16.NASL description Fix CVE-2016-9962 - Insecure opening of file-descriptor allows privilege escalation ---- built docker @projectatomic/docker-1.12 commit 6009905 ---- built docker @projectatomic/docker-1.12 commit 97974ae ---- built docker @projectatomic/docker-1.12 commit 7b5044b Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-23 plugin id 96678 published 2017-01-23 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96678 title Fedora 24 : 2:docker-latest (2017-c2c2d1be16) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-34.NASL description The remote host is affected by the vulnerability described in GLSA-201701-34 (runC: Privilege escalation) A vulnerability was discovered in runC that allows additional container processes via ‘runc exec’ to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes. Impact : An attacker, who is able to successfully escape the container or modify runC’s state before process initialization, could escalate privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96475 published 2017-01-13 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96475 title GLSA-201701-34 : runC: Privilege escalation NASL family Fedora Local Security Checks NASL id FEDORA_2017-FCD02E2C2D.NASL description Fix CVE-2016-9962 - Insecure opening of file-descriptor allows privilege escalation ---- built docker @projectatomic/docker-1.12 commit 6009905 ---- built docker @projectatomic/docker-1.12 commit 97974ae ---- built docker @projectatomic/docker-1.12 commit 7b5044b Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-16 plugin id 96509 published 2017-01-16 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96509 title Fedora 25 : 2:docker-latest (2017-fcd02e2c2d) NASL family Fedora Local Security Checks NASL id FEDORA_2017-20CDB2063A.NASL description V1.0 final release ---- bump runc commit ---- Update to latest release candidate Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-01 plugin id 102086 published 2017-08-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102086 title Fedora 25 : 1:runc (2017-20cdb2063a) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0123.NASL description An update for docker-latest is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Docker is an open source engine that automates the deployment of any application as a lightweight, portable, and self-sufficient container that will run virtually anywhere. The following packages have been upgraded to a newer upstream version: docker-latest (1.12.5). (BZ#1404309) Security Fix(es) : * The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception. (CVE-2016-9962) Red Hat would like to thank the Docker project for reporting this issue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the original reporters. last seen 2020-06-01 modified 2020-06-02 plugin id 96597 published 2017-01-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96597 title RHEL 7 : docker-latest (RHSA-2017:0123) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-783.NASL description It was discovered that runC allowed additional container processes via `runc exec` to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file descriptors of these new processes during the initialization, which can lead to container escapes or modification of runC state before the process is fully placed inside the container. last seen 2020-06-01 modified 2020-06-02 plugin id 96394 published 2017-01-11 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96394 title Amazon Linux AMI : docker (ALAS-2017-783) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-181.NASL description This update for - containerd, - docker to version 1.12.6 and - runc fixes several issues. This security issues was fixed : - CVE-2016-9962: container escape vulnerability (bsc#1012568). Thsese non-security issues were fixed : - boo#1019251: Add a delay when starting docker service - Fixed bash-completion - boo#1015661: add the /usr/bin/docker-run symlink For additional details please see the changelog. last seen 2020-06-05 modified 2017-02-01 plugin id 96918 published 2017-02-01 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96918 title openSUSE Security Update : containerd / docker / runc (openSUSE-2017-181) NASL family Fedora Local Security Checks NASL id FEDORA_2017-0200646669.NASL description Resolves: #1412238 - *CVE-2016-9962* - set init processes as non-dumpable, ---- patch to enable seccomp ---- bump to 1.0.0 rc2 ---- Resolves: #1342707 - bump to v1.0.0-rc1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-19 plugin id 96616 published 2017-01-19 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96616 title Fedora 25 : 1:runc (2017-0200646669) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-0116.NASL description An update for docker is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Docker is an open source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. The following packages have been upgraded to a newer upstream version: docker (1.12.5). (BZ#1404298) Security Fix(es) : * The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception. (CVE-2016-9962) Red Hat would like to thank the Docker project for reporting this issue. Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the original reporters. Bug Fix(es) : * The docker containers and images did not read proxy variables from the environment when contacting registries. As a consequence, a user could not pull image when the system was configured to use a proxy. The containers and images have been fixed to read proxy variables from the environment, and pulling images now from a system with a proxy works correctly. (BZ# 1393816) * Occasionally the docker-storage-setup service could start before a thin pool is ready which caused it to failed. As a consequence, the docker daemon also failed. This bug has been fixed and now docker-storage-setup waits for a thin pool to be created for 60 seconds. This default time can be configured. As a result, docker and docker-storage-setup start correctly upon reboot. (BZ#1316786) * Previously, the docker daemon last seen 2020-06-01 modified 2020-06-02 plugin id 96596 published 2017-01-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96596 title RHEL 7 : docker (RHSA-2017:0116)
Redhat
| advisories |
| ||||||||||||
| rpms |
|
References
- https://security.gentoo.org/glsa/201701-34
- https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
- https://github.com/docker/docker/releases/tag/v1.12.6
- https://bugzilla.suse.com/show_bug.cgi?id=1012568#c6
- https://access.redhat.com/security/vulnerabilities/cve-2016-9962
- http://seclists.org/fulldisclosure/2017/Jan/29
- http://seclists.org/fulldisclosure/2017/Jan/21
- http://www.securityfocus.com/bid/95361
- http://rhn.redhat.com/errata/RHSA-2017-0127.html
- http://rhn.redhat.com/errata/RHSA-2017-0123.html
- http://rhn.redhat.com/errata/RHSA-2017-0116.html
- http://www.securityfocus.com/archive/1/540001/100/0/threaded
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WUQ3MQNEL5IBZZLMLR72Q4YDCL2SCKRK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FINGBFMIXBG6B6ZWYH3TMRP5V3PDBNXR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAXJMMLRU7DD2IMG47SR2K4BOFFG7FZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVM7FCOQMPKOFLDTUYSS4ES76DDM56VP/