Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY BULLETIN: Mitigation Against CVE-2019-5736 (runC and Containers) with Trend Micro Deep Security

    • Updated:
    • 13 Mar 2020
    • Product/Version:
    • Deep Security
    • Deep Security As A Service
    • Platform:
    • Amazon AMI 32-bit
    • Amazon AMI 64-bit
    • CentOS 5.4 32-bit
    • CentOS 5.4 64-bit
    • CentOS 5.5 32-bit
    • CentOS 5.5 64-bit
    • CentOS 5.6 32-bit
    • CentOS 5.6 64-bit
    • CentOS 5.7 32-bit
    • CentOS 5.7 64-bit
    • CentOS 5.8 32-bit
    • CentOS 5.8 64-bit
    • CentOS 6 32-bit
    • CentOS 6 64-bit
    • CentOS 6.1 32-bit
    • CentOS 6.1 64-bit
    • CentOS 6.2 32-bit
    • CentOS 6.2 64-bit
    • CentOS 7.0 64-bit
    • HPUX 11.x
    • IBM AIX
    • IBM AIX 5.3
    • IBM AIX 6.1
    • IBM AIX 7.1
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - Red Hat RHEL 4 64-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Linux - Red Hat RHEL 7 64-bit
    • Linux - SuSE 10
    • Linux - SuSE 10 64-bit
    • Linux - SuSE 11
    • Linux - SuSE 11 64-bit
    • N/A N/A
    • Oracle Linux 5 32-bit
    • Oracle Linux 5 64-bit
    • Oracle Linux 6 32-bit
    • Oracle Linux 6 64-bit
    • Oracle Solaris 11 SPARC
    • Oracle Solaris 11 x86
    • Ubuntu 10.04 64-bit
    • Ubuntu 12.04 64-bit
    • Unix - Solaris (Sun) version 10 (SunOS 5.10)
    • Unix - Solaris (Sun) version 9 (SunOS 5.9)
    • VMware ESX 4.0
    • VMware ESX 4.1
    • VMware ESX 5.0
    • VMware ESXi 4.0
    • VMware ESXi 4.1
    • VMware ESXi 5.0
    • VMware ESXi 5.1
    • VMware ESXi 5.5
    • VMware ESXi 6.0
    • VMware ESXi 6.5
    • VMware ESXi 6.7
    • VMware vCenter 5.0
    • VMware vCenter 5.5
    • VMware vSphere 5.1
    • VMware vSphere 5.5
    • Windows 10
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Server R2
    • Windows 2003 Small Business Server
    • Windows 2003 Small Business Server R2
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Essential Business Server
    • Windows 2008 Server Core
    • Windows 2008 Server Foundation
    • Windows 2008 Server R2
    • Windows 2008 Server R2 Datacenter
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Server R2 with Hyper-V(TM)
    • Windows 2008 Small Business Server
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Foundation R2
    • Windows 2012 Standard R2
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit
    • Windows XP SP2 32-bit
    • Windows XP SP3 32-bit
On February 11, 2019, a first-of-its-kind container escape vulnerability in runC was publicly announced, which in the right (or wrong) circumstances, could lead to an attacker gaining root privileges and gaining complete control on the host running the container.
This vulnerability is not limited to one specific type of container since runC is a low-level Linux tool that is at the heart of most, if not all, popular container runtimes in use today.
Based on the technical analysis, a possible exploit could be triggered simply by running a malicious image - which when run on a host - could allow the runC component on the host to be overwritten by a specially-crafted binary and executed; leading to the attacker gaining control of the host.
Please note that this vulnerability could potentially be exploited when attaching to a running container; however the container image must have already been compromised.

Mitigation and Detection

The first order of business to protect against any sort of known vulnerability is to patch (if available). However, there are some other steps that can be taken to also help protect users:

  1. Only trusted image sources should be used as a source of images for a production environment.  Blocking direct access to public repositories from production container hosts can help maintain a clean environment.
  2. Ensure that your APIs are not exposed publicly.  Abuse of APIs to run rogue containers is a real and serious threat.
  3. Ensure containers are not being run as root (unless absolutely necessary).
  4. It has been reported that enabling SELinux on RedHat distributions of Linux or AppArmor on Ubuntu may help prevent against possible attacks.
  5. And it should be noted again, PATCH as soon as possible.


Trend Micro Deep Security Protection

Trend Micro Deep Security customers also have another line of defense against potential exploits using one or more of the controls outlined below.


Application Control

Setting up Trend Micro Deep Security Application Control helps administrators to continuously monitor for software changes on protected servers and is intended for use on stable servers that do not undergo frequent software changes (like workstations).

In a situation where runC is compromised, Application Control's whitelist can help raise a critical flag in the case of a potential attack due to the modified runC binary not being recognized. This flag may appear as an entry in the Deep Security SYSTEM EVENT section (sample below):


Deep Security App Control System Event


For this particular exploit, the event information above would be a flag to investigate further and take additoinal actions such as initiating an on-demand Deep Security Integrity Monitoring scan.


Integrity Monitoring

Ensuring the integrity of the underlying operating system is paramount.  To leverage this particular vulnerability, an attacker would most likely overwrite or somehow manipulate the existing runC binary.  Environments that enable Trend Micro Deep Security's Integrity Monitoring protection allow administrators to keep a close eye on changes made to files and critical system areas that could indicate suspicious activity.

Due to the unqiue nature of this exploit, it is highly recommended that administrators utilize scheduled and/or on-demand Integrity Monitoring scans in addition to real-time scans (if enabled) for maximum protection.

The following Trend Micro Deep Security Integrity Monitoring rule detects changes to any binaries in the /usr/bin and /usr/sbin directories:

  • Rule 1002770 - Unix - File Attributes Change In /usr/bin AND /usr/sbin Locations

This is significant, because these are common locations in which the runC binary resides in many containers.  Note that this rule is deployed out-of-the-box and is already enabled without additional configuration required.

In case of an attack on Docker, a change detected by Integrity Monitoring could generate an alert similiar to the one below (key areas of the alert highlighted):

Deep Security Rule 1002770


An additional Integrity Monitoring rule is also available that covers a wider range of Docker-specific artifacts across the system and not just limited to the runC binary.  This rule takes a wholistic approach to monitoring the integrity of a Docker installation across the host - such as files, directories, installed software and application processes:

  • Rule 1008271 - Application - Docker

An event for Docker could appear similar to the one below:

Deep Security Rule 1008271


Technical Information and Links

More technical information on the vulnerability, as well as specific vendor advisories can be found on the following links.

Information and Blogs

Cloud Providers
Configure; Update
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.