Docker runc Mining Campaigns
Docker hosts vulnerable to the runc Privilege Escalation Vulnerability CC-2927 discovered last month, continue to be targeted as part of ongoing campaigns aiming to compromise machines to mine for cryptocurrency.
Summary
Docker hosts vulnerable to the runc Privilege Escalation Vulnerability CC-2927 discovered last month, continue to be targeted as part of ongoing campaigns aiming to compromise machines to mine for cryptocurrency.
Affected platforms
The following platforms are known to be affected:
Docker CE
DockerThreat details
Whilst patches have been released for the vulnerability, there are still many publicly exposed Docker daemons left unpatched.
To exploit the vulnerability, attackers search for publicly exposed APIs with weak security controls. Attackers will then attempt to execute a command as root within one of these contexts:
- A new container from an attacker-controlled image.
- Attaching into an existing container using Docker exec, to which the attacker previously had write access.
The executed command overwrites the host runc binary and allows the attacker to execute further code on the host machine with root privileges.
Whilst the current campaigns look to exploit vulnerable hosts for mining cryptocurrency, compromised servers could also be used for other malicious purposes.
For further information:
Remediation steps
| Type | Step |
|---|---|
|
User and organisations are encouraged to contact their relevant suppliers and apply the necessary updates:
Additionally, organisations should review Docker's security documentation and harden their systems appropriately. |
CVE Vulnerabilities
Last edited: 14 February 2020 2:44 pm