Runc binary modified

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1611-escape-to-host

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect modifications to the runc binary outside of the normal package management lifecycle.

Strategy

CVE-2019-5736, a vulnerability in runc through version 1.0-rc6 could allow attackers to overwrite the host runc binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host. Any modifications to runc (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.

Triage & Response

  1. Check to see which user or process changed the runc binary.
  2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.
  3. Update runc to a version above 1.0-rc6 (or Docker 18.09.2 and above).
  4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.

Requires Agent version 7.27 or greater

PREVIEWING: may/unit-testing