CVE-2019-9893
📋 TL;DR
A vulnerability in libseccomp versions before 2.4.0 incorrectly generates 64-bit syscall argument comparisons using arithmetic operators (LT, GT, LE, GE). This allows attackers to bypass seccomp filters, potentially leading to privilege escalation. Systems using affected libseccomp versions with seccomp filters are vulnerable.
💻 Affected Systems
- libseccomp
📦 What is this software?
Libseccomp by Libseccomp Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation, allowing attackers to execute arbitrary code with elevated privileges and bypass container/application sandboxes.
Likely Case
Bypass of seccomp filters leading to unauthorized syscall execution, potentially enabling container escape or application sandbox bypass in containerized environments.
If Mitigated
Limited impact if proper network segmentation, minimal privileges, and defense-in-depth controls are implemented alongside seccomp.
🎯 Exploit Status
Exploitation requires ability to execute code and knowledge of seccomp filter bypass techniques; public PoC exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:3624
Restart Required: Yes
Instructions:
1. Update libseccomp to version 2.4.0 or later using your distribution's package manager. 2. For Red Hat/CentOS: 'yum update libseccomp'. 3. For Debian/Ubuntu: 'apt-get update && apt-get install libseccomp2'. 4. Restart affected services/containers using libseccomp.
🔧 Temporary Workarounds
Disable seccomp filters
linuxTemporarily disable seccomp filtering in container runtimes or applications (increases risk but mitigates this specific vulnerability).
docker run --security-opt seccomp=unconfined ...
kubectl edit pod <pod-name> and remove seccompProfile
🧯 If You Can't Patch
- Implement strict network segmentation to limit lateral movement from potentially compromised containers.
- Use additional security layers like SELinux/AppArmor alongside seccomp to reduce impact of filter bypass.
🔍 How to Verify
Check if Vulnerable:
Check libseccomp version: 'rpm -q libseccomp' (RHEL) or 'dpkg -l libseccomp2' (Debian/Ubuntu). If version < 2.4.0 and seccomp filters are used, system is vulnerable.Check Version:
rpm -q libseccomp || dpkg -l libseccomp2 || pacman -Q libseccompVerify Fix Applied:
Confirm libseccomp version is 2.4.0 or later using version check command and verify seccomp filters function correctly in test containers.📡 Detection & Monitoring
Log Indicators:
- Unexpected syscall executions in audit logs (auditd) from containers/applications using seccomp.
- Failed seccomp filter violations that should have been blocked.
Network Indicators:
- Unusual outbound connections from containers that should be restricted by seccomp policies.
SIEM Query:
source="auditd" AND (syscall=* AND seccomp=denied) | stats count by syscall, container_id🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00027.html
- https://access.redhat.com/errata/RHSA-2019:3624
- https://github.com/seccomp/libseccomp/issues/139
- https://seclists.org/oss-sec/2019/q1/179
- https://security.gentoo.org/glsa/201904-18
- https://usn.ubuntu.com/4001-1/
- https://usn.ubuntu.com/4001-2/
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00027.html
- https://access.redhat.com/errata/RHSA-2019:3624
- https://github.com/seccomp/libseccomp/issues/139
- https://seclists.org/oss-sec/2019/q1/179
- https://security.gentoo.org/glsa/201904-18
- https://usn.ubuntu.com/4001-1/
- https://usn.ubuntu.com/4001-2/
