A new version of Docker addresses a security issue that can allow processes running in containers to gain access to the host machine.

Docker allows additional processes to be launched within the context of existing containers using `docker exec`, which in turn uses the underlying `runC exec`. The vulnerability allows an existing containerized process to access open file descriptors in the new process as it is being initialized to run in the existing container. In other words, the containerized process can access the host file system and other resources that are not intended to be accessible.

 

Protection with Twistlock

Twistlock helps protect your container infrastructure from this vulnerability and similar ones in a few ways:

  1. Compliance / Policy enforcement. It is only possible to exploit this vulnerability if the containerized process is running as root. Twistlock will alert and prevent containers from running this way.  Here’s a screen snip of one of our compliance rules configured to prevent containers from running as root, followed by a screenshot of the message a user will see if they attempt to violate the rule:12
  2. Ongoing host vulnerability scanning. Twistlock continuously scans the host for newly disclosed vulnerabilities and security issues, in addition to scanning the containers themselves.  In this case, we can detect that the Docker version on the host in the screenshot below is vulnerable to this CVE, by comparing the reported version and build details with vulnerability data from our Intelligence Stream:3

 

Users are advised to upgrade existing installations of the Docker Engine and use 1.12.6 for
new installations.

1 2

More resources

Try out Twistlock now. Download a free trial of our product.

Get Twistlock

Subscribe To Our Container Security Newsletter

Join our mailing list to receive the latest news and updates from our team.