Mitigation and Detection
The first order of business to protect against any sort of known vulnerability is to patch (if available). However, there are some other steps that can be taken to also help protect users:
- Only trusted image sources should be used as a source of images for a production environment. Blocking direct access to public repositories from production container hosts can help maintain a clean environment.
- Ensure that your APIs are not exposed publicly. Abuse of APIs to run rogue containers is a real and serious threat.
- Ensure containers are not being run as root (unless absolutely necessary).
- It has been reported that enabling SELinux on RedHat distributions of Linux or AppArmor on Ubuntu may help prevent against possible attacks.
- And it should be noted again, PATCH as soon as possible.
Trend Micro Deep Security Protection
Trend Micro Deep Security customers also have another line of defense against potential exploits using one or more of the controls outlined below.
Setting up Trend Micro Deep Security Application Control helps administrators to continuously monitor for software changes on protected servers and is intended for use on stable servers that do not undergo frequent software changes (like workstations).
In a situation where runC is compromised, Application Control's whitelist can help raise a critical flag in the case of a potential attack due to the modified runC binary not being recognized. This flag may appear as an entry in the Deep Security SYSTEM EVENT section (sample below):
For this particular exploit, the event information above would be a flag to investigate further and take additoinal actions such as initiating an on-demand Deep Security Integrity Monitoring scan.
Ensuring the integrity of the underlying operating system is paramount. To leverage this particular vulnerability, an attacker would most likely overwrite or somehow manipulate the existing runC binary. Environments that enable Trend Micro Deep Security's Integrity Monitoring protection allow administrators to keep a close eye on changes made to files and critical system areas that could indicate suspicious activity.
Due to the unqiue nature of this exploit, it is highly recommended that administrators utilize scheduled and/or on-demand Integrity Monitoring scans in addition to real-time scans (if enabled) for maximum protection.
The following Trend Micro Deep Security Integrity Monitoring rule detects changes to any binaries in the /usr/bin and /usr/sbin directories:
- Rule 1002770 - Unix - File Attributes Change In /usr/bin AND /usr/sbin Locations
This is significant, because these are common locations in which the runC binary resides in many containers. Note that this rule is deployed out-of-the-box and is already enabled without additional configuration required.
In case of an attack on Docker, a change detected by Integrity Monitoring could generate an alert similiar to the one below (key areas of the alert highlighted):
An additional Integrity Monitoring rule is also available that covers a wider range of Docker-specific artifacts across the system and not just limited to the runC binary. This rule takes a wholistic approach to monitoring the integrity of a Docker installation across the host - such as files, directories, installed software and application processes:
- Rule 1008271 - Application - Docker
An event for Docker could appear similar to the one below:
Technical Information and Links
More technical information on the vulnerability, as well as specific vendor advisories can be found on the following links.
Information and Blogs
- Trend Micro SimplySecurity Blog:
- Openwall Announcement:
- MITRE CVE:
- National Vulnerability Database (NVD):
- Linux Containers (LXC):
- Amazon Web Services (AWS):
- Google Cloud: