Briskinfosec - Global Cybersecurity Service Providers

Stay Connected:

How Much Do You Know On The Latest Docker Security Vulnerability? | Briskinfosec

How Much Do You Know On The Latest Docker Security Vulnerability?

“Containers are isolated from one another and bundle their own software, libraries and configuration files; they can communicate with each other through well-defined channels. All containers are run by a single operating-system kernel and are thus more lightweight than virtual machines. Containers are created from images that specify their precise contents. “ - Wikipedia.


  • Introduction
  • What Is Container Escaping?
  • How This Vulnerbaility Works?
  • Who Are Vulnerable To Container Escaping And Fixing Tips
  • Conclusion
  • How Briskinfosec Can Help You?
  • Curious To Read Our Case Studies?
  • Last But Not The Least
  • You May Be Interested In


This blog is about a CVE-2019-5736 (Common Vulnerabilities and Exposures) that was discovered recently on the runC. It’s also said as RunCescape. A researcher from Poland successfully discovered this vulnerability while solving the CTF (Capture The Flag) challenge. Successful exploitation of this vulnerability would allow intruders to gain the root access of the host machine.


‘Container Escaping’ is a vulnerability that’s recently discovered in the container management. This escaping occurs due to the vulnerability in the runC, and can perform the root level code execution. Containers are separated from the host by kernel modules called cgroups, namespaces, etc. With these modules, host machines can create a new virtual environment by sharing kernels. By default, the containers are managed in a sand boxed environment. Due to this, there’s a chance to manipulate the virtual process of the Linux machine to open an exited memory.


This vulnerability can be exploited in two phases:

  • First one is by injecting malicious commands inside the container.
  • Second one is by creating a malicious docker image.

Here, the attacker would overwrite the binary of the container (/bin/sh) to redirect to path /proc/self/exe i.e it points to the docker-run on the host machine. This will re-execute the original docker-run to the new docker-run from inside the container. During this, the file will be loaded from the container and an attacker can control this from inside the container. This would trigger the /proc/self/exec and malicious binary. Then, the malicious binary would overwrite the docker-run. When another process connects to the container, malicious docker-runC (the one in the host machine) is triggered and gives the root access of the host machine.

Both of the above methods work in an almost similar manner, but the actions that’re performed during the exploitation differs. In the first method, an attacker would run the exploit from inside the container. In second method, the victim would download the malicious docker image while trying to get the container shell. It would give the shell of the host machine with root privileges to the attacker.


runC is the open-source container runtime that supports many familiar container management platforms like docker, cri-o, containerd and Kubernetes. Containers help applications to remain highly adroit and on-demand for architecting cloud services. It’s also utilized by enterprises globally like Amazon Web Services, Microsoft Azure and other cloud providers.

Red Hat products are protected by SELinux in enforcing mode; but the vulnerability isn’t blocked by the default AppArmor policy nor by the default SELinux policy.

Other container projects like Apache Mesos and LXC (Cluster management and Linux virtualization methods) also have same vulnerabilities. Later, they’d also patched this issue. So, to defend from this vulnerability, the policies of these modules like SELinux and AppArmor should be maintained properly. 


Containers are unique for its isolated environment, but now some genius have found a way to even break the sand boxed environment. Here, they are trying to hack the kernel modules of the host machine to achieve this exploitation. Hence, the container environment is no longer considered safe anymore.


This vulnerability, with a severity rating of 7.2, has the tendency to break the security layers and helping the intruders to obtain root access. If obtained, the intruder can compromise the entire network and many of your confidential data can be compromised. Hence, to escape from being a victim of such threats, Briskinfosec provides the proper guidance that helps you to remain secured against them. Further, intense research is underway by our security veterans every day in this docker platform at BINT labs, in order to provide the best possible help. To know it in depth, kindly reach out to us anytime.  


The main reasons for us to be listed as one among the top 20 most promising cybersecurity providers is because of our promising security quality providence. To know about it, just check out our case studies.


If you believe that spending time to check out some lucrative things isn’t a regret, then we’d request you to check out our Threatsploit Adversary Reports. It’s one single report that’s prepared by us on a monthly basis, containing the accumulation of the most significant cyberattacks that’d happened worldwide, it’s impacts caused, the losses faced and much more. Even the best possible mitigation measures are mentioned for you to stay precautious against such threats. Just read it. You’ll not feel disappointed.




Lokesh A

Security Engineer

He is a Security engineer having a good knowledge in the field of network penetration testing and also in docker security. He does many CTF challenges and create docker tools and prepares many good blogs.

Add Your Comments

Your Comments*