Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0608 Container Privilege Escalation Vulnerability Affecting Cisco Products: February 2019 27 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Container Platform Cisco Cloudlock Cisco Defense Orchestrator Publisher: Cisco Systems Operating System: Cisco Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-5736 Reference: ESB-2019.0498.3 ESB-2019.0488.2 ESB-2019.0466 ESB-2019.0458 ESB-2019.0428 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc - --------------------------BEGIN INCLUDED TEXT-------------------- Container Privilege Escalation Vulnerability Affecting Cisco Products: February 2019 Priority: High Advisory ID: cisco-sa-20190215-runc First Published: 2019 February 15 17:00 GMT Last Updated: 2019 February 26 20:00 GMT Version 1.4: Interim Workarounds: No workarounds available CVE-2019-5736 CWE-264 Summary o A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system. The vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe . An attacker could exploit the vulnerability either by persuading a user to create a new container using an attacker-controlled image or by using the docker exec command to attach into an existing container that the attacker already has write access to. A successful exploit could allow the attacker to overwrite the host's runc binary file with a malicious file, escape the container, and execute arbitrary commands with root privileges on the host system. This advisory will be updated as additional information becomes available. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190215-runc Affected Products o Cisco is investigating its product line to determine which products and cloud services may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products and services. The Vulnerable Products section will include Cisco bug IDs for each affected product or service. The bugs will be accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases. Products Under Investigation The following products and services are under active investigation to determine whether they are affected by the vulnerability that is described in this advisory. Routing and Switching - Enterprise and Service Provider Cisco IOS XE Software Unified Computing Cisco UCS B-Series M3 Blade Servers Cisco Cloud Hosted Services Cisco Smart Software Manager Satellite Vulnerable Products The following table lists Cisco products that are affected by the vulnerability that is described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details. Product Cisco Bug Fixed Release Availability ID Network Management and Provisioning Cisco Container CSCvo33929 3.1.0 (Mar 2019) Platform Cisco Cloud Hosted Services Cisco Cloudlock CSCvo37511 Cisco will update affected systems in Mar 2019. Cisco Defense CSCvo42107 Cisco updated affected systems. OrchestratorC On-premises: 19.8 (Available) Products Confirmed Not Vulnerable Only products and services listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following products and services: Network Application, Service, and Acceleration Cisco Adaptive Security Appliance (ASA) Software Network and Content Security Devices Cisco ASA CX Cisco ASA Next-Generation Firewall Services Cisco Firepower 9000 Series - Integrated Management Controller Cisco Identity Services Engine (ISE) Network Management and Provisioning Cisco Data Center Network Manager Cisco Jasper Control Center Cisco Managed Services Accelerator Cisco Policy Suite Cisco Virtual Topology System (formerly Cisco Virtual Systems Operations Center) - VTSR VM Cisco Virtualized Infrastructure Manager Routing and Switching - Enterprise and Service Provider Cisco 4000 Series Integrated Services Routers - IOx feature Cisco Application Policy Infrastructure Controller (APIC) Cisco DNA Center Cisco IOS XR Software Cisco Industrial Ethernet 4000 Series Switches (IOx feature) Cisco Nexus 3000 Series Switches Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode Cisco Nexus 9000 Series Switches in standalone NX-OS mode Cisco Virtual Application Policy Infrastructure Controller (APIC) Unified Computing Cisco Enterprise NFV Infrastructure Software (NFVIS) Cisco HyperFlex System Cisco Intersight Cisco UCS 6200 Series Fabric Interconnects Cisco UCS Fabric Interconnects Cisco UCS Manager Cisco Cloud Hosted Services Cisco Metacloud Cisco Umbrella Cisco Webex Teams (formerly Cisco Spark) Workarounds o Any workarounds for a specific Cisco product or service will be documented in the relevant Cisco bugs, which are identified in the Vulnerable Products section of this advisory. Fixed Software o For information about fixed software releases , consult the Cisco bugs identified in the Vulnerable Products section of this advisory. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco TAC or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o On February 12, 2019, the runc maintainers publicly disclosed this vulnerability on the oss-sec mailing list. This announcement is at the following link: https://seclists.org/oss-sec/2019/q1/119 . Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o runc System File Descriptors Handling Privilege Escalation Vulnerability URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190215-runc Revision History o +---------+-------------------+--------------+---------+------------------+ | Version | Description | Section | Status | Date | +---------+-------------------+--------------+---------+------------------+ | | Updated the lists | Affected | | | | | of products under | Products, | | | | | investigation, | Vulnerable | | | | 1.4 | vulnerable | Products, | Interim | 2019-February-26 | | | products, and | Products | | | | | products | Confirmed | | | | | confirmed not | Not | | | | | vulnerable. | Vulnerable | | | +---------+-------------------+--------------+---------+------------------+ | | Updated the lists | Affected | | | | | of products under | Products, | | | | | investigation, | Vulnerable | | | | 1.3 | vulnerable | Products, | Interim | 2019-February-21 | | | products, and | Products | | | | | products | Confirmed | | | | | confirmed not | Not | | | | | vulnerable. | Vulnerable | | | +---------+-------------------+--------------+---------+------------------+ | | Updated the lists | Affected | | | | | of products under | Products, | | | | | investigation, | Vulnerable | | | | 1.2 | vulnerable | Products, | Interim | 2019-February-20 | | | products, and | Products | | | | | products | Confirmed | | | | | confirmed not | Not | | | | | vulnerable. | Vulnerable | | | +---------+-------------------+--------------+---------+------------------+ | | Updated the lists | Affected | | | | | of products under | Products, | | | | | investigation, | Vulnerable | | | | 1.1 | vulnerable | Products, | Interim | 2019-February-18 | | | products, and | Products | | | | | products | Confirmed | | | | | confirmed not | Not | | | | | vulnerable. | Vulnerable | | | +---------+-------------------+--------------+---------+------------------+ | 1.0 | Initial public | - | Interim | 2019-February-15 | | | release. | | | | +---------+-------------------+--------------+---------+------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXHYByWaOgq3Tt24GAQgMJBAA3l5Oj/WI0uyfA3DA0uDwU7luqk40LyOG WJgfmY6qN/+rk1RMfxZqy+ERns6zKAljwmINKXRR8pW92qatwUi9pUSAmxDt/mgD CqWyRaBsfvjGgJ6tBxIi4947PJ+F588hv66/mtJU8YDGmpU9nEXE8k0oYnl4GMoO G0gOecFFHTav/Y+oA0d9GvX6Ajg/D/nvWmo4pHPicnl6LeyQgdbNd789ED3RR7fZ oXOFageKiBt2OrqrVn5R91qaS9JWbNI2siKND7kO6BXl6UkRe0+gPMC53aXVIwbV 3qtr/1JljL0MfAAhXYkjHt00Jf7yQUdyqFoIpGXEDGYAsSjmi4HfvmhabncHZJkU FtB9gLqQG45yVM/u+JWHN0CYg3R7rJ+4EsJEBl4W/eVessvKH0ZhOZNO734m/vcN qQ6Gbp3tLrsZCK5PFpb4yfsmaFrPbPVUG4uHgeepppBvLiTMo7byzCgxnTteHBDx QaxkKLUxzNCUbZ3wL7CQ4q/gYLhuW6hixbgqAuvgd5y1yi320gv4BweQAOJcIgZn LwZo210dGBBOBxvwF4kX4Fr4zoWn2SKRAFNV5v9/ZYr7NIxj9wVQ37fQWfFOJcmO 8WgSJLvIQo8qWH9vCMxpAaGcRGRBv1vCX0sllR07nLCw47dquJQOVPEtBek07kCH JkabrUM1HxI= =5kAr -----END PGP SIGNATURE-----