CVE-2019-19921

Q: What is the severity of CVE-2019-19921?

CVE-2019-19921 has a CVSS score of 7.0 (HIGH). CVE-2019-19921 is a privilege escalation vulnerability in runc (container runtime) that allows attackers with container creation privileges to escape container isolation and gain root access on the host system. It affects runc versions up to 1.0.0-rc9 when using custom volume mounts. Docker is not affected due to implementation differences.

7.0 HIGH

📋 TL;DR

CVE-2019-19921 is a privilege escalation vulnerability in runc (container runtime) that allows attackers with container creation privileges to escape container isolation and gain root access on the host system. It affects runc versions up to 1.0.0-rc9 when using custom volume mounts. Docker is not affected due to implementation differences.

💻 Affected Systems

Products:

runc
Kubernetes (when using vulnerable runc)
containerd (when using vulnerable runc)
CRI-O (when using vulnerable runc)

Versions: runc versions up to and including 1.0.0-rc9

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Docker is NOT affected due to implementation details. Requires ability to create containers with custom volume mounts.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full host compromise with root privileges, allowing complete control over the host system and all containers running on it.

🟠

Likely Case

Container escape leading to unauthorized access to host filesystem, sensitive data exposure, and potential lateral movement to other containers.

🟢

If Mitigated

Limited impact with proper container isolation, minimal container privileges, and restricted volume mount configurations.

🌐 Internet-Facing: MEDIUM - Requires authenticated access to container orchestration system, but could be exploited through compromised container images or misconfigured CI/CD pipelines.

🏢 Internal Only: HIGH - Internal attackers with container deployment privileges can easily exploit this to gain host root access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires ability to spawn two containers with custom volume-mount configurations and run custom images. Attack requires container creation privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: runc 1.0.0-rc10 and later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2020:0688

Restart Required: Yes

Instructions:

1. Update runc to version 1.0.0-rc10 or later. 2. Update container runtime (containerd, CRI-O) to versions that include patched runc. 3. Restart all containers and container runtime services. 4. For Kubernetes, update kubelet and container runtime components.

🔧 Temporary Workarounds

Restrict container privileges

linux

Implement least privilege principles for containers to limit attack surface

Use Pod Security Policies (Kubernetes)
Implement seccomp profiles
Drop unnecessary capabilities
Use read-only root filesystems

Limit volume mount capabilities

linux

Restrict ability to mount arbitrary host paths in containers

Use Kubernetes admission controllers to validate volume mounts
Implement container runtime policies

🧯 If You Can't Patch

Implement strict container privilege restrictions using security contexts
Monitor for suspicious container creation patterns and volume mount attempts

🔍 How to Verify

Check if Vulnerable:

Check runc version: runc --version | grep version. If version is 1.0.0-rc9 or earlier, system is vulnerable.

Check Version:

runc --version

Verify Fix Applied:

Verify runc version is 1.0.0-rc10 or later: runc --version | grep version

📡 Detection & Monitoring

Log Indicators:

Unusual container creation patterns
Multiple containers with custom volume mounts created by same user
Container escape attempts in audit logs

Network Indicators:

Unexpected outbound connections from container hosts
Lateral movement attempts between containers

SIEM Query:

container.runtime=runc AND container.version<=1.0.0-rc9 AND event.action=create AND volume.mount.type=custom

📊 Metadata

CVE ID: CVE-2019-19921

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-706

Published: February 12, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html Broken Link,Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0688 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0695 Third Party Advisory
https://github.com/opencontainers/runc/issues/2197 Issue Tracking,Patch,Third Party Advisory
https://github.com/opencontainers/runc/pull/2190 Issue Tracking,Third Party Advisory
https://github.com/opencontainers/runc/releases Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
https://security-tracker.debian.org/tracker/CVE-2019-19921 Third Party Advisory
https://security.gentoo.org/glsa/202003-21 Third Party Advisory
https://usn.ubuntu.com/4297-1/ Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html Broken Link,Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0688 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0695 Third Party Advisory
https://github.com/opencontainers/runc/issues/2197 Issue Tracking,Patch,Third Party Advisory
https://github.com/opencontainers/runc/pull/2190 Issue Tracking,Third Party Advisory
https://github.com/opencontainers/runc/releases Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
https://security-tracker.debian.org/tracker/CVE-2019-19921 Third Party Advisory
https://security.gentoo.org/glsa/202003-21 Third Party Advisory
https://usn.ubuntu.com/4297-1/ Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Leap by Opensuse

Openshift Container Platform by Redhat

Openshift Container Platform by Redhat

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict container privileges

Limit volume mount capabilities

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities