Skip to main content

 

 

Cisco Defense Orchestrator

Container Privilege Escalation Vulnerability Affecting Secure Device Connector: cisco-sa-20190215-runc

The Cisco Product Security Incident Response Team (PSIRT) published the security advisory cisco-sa-20190215-runc which describes a high-severity vulnerability in Docker. Read the entire PSIRT team advisory for a full explanation of the vulnerability. 

This vulnerability impacts all CDO customers:

  • Customers using CDO's cloud-deployed Secure Device Connector (SDC) do not need to do anything as the remediation steps have already been performed by the CDO Operations Team. 
  • Customers using an SDC deployed on-premise need to upgrade their SDC host to use the latest Docker version. They can do so by using the following instructions: 

Updating a CDO-Standard SDC Host

Use these instructions if you deployed an on-premises Secure Device Connector using CDO's VM image

  1. Connect to your SDC host using SSH or the hypervisor console.
  2. Check the version of your Docker service by running this command:

docker version

  1. If you are running one of the latest virtual machines (VMs) you should see output like this:
    > docker version
Client:
   Version:        18.06.1-ce
   API version:    1.38
   Go version:     go1.10.3
   Git commit:     e68fc7a
   Built:          Tue Aug 21 17:23:03 2018
   OS/Arch:        linux/amd64
   Experimental:   false

It's possible you may see an older version here. 

  1. Run the following commands to update Docker and restart the service:
> sudo yum update docker-ce
> sudo service docker restart

Note: There will be a brief connectivity outage between CDO and your devices while the docker service restarts. 

  1. Run the docker version command again. You should see this output:
> docker version
Client:
   Version:           18.09.2
   API version:       1.39
   Go version:        go1.10.6
   Git commit:        6247962
   Built:             Sun Feb XX 04:13:27 2019
   OS/Arch:           linux/amd64
   Experimental:      false
  1. You are done. You have now upgraded to the latest, and patched, version of Docker.

Updating a Custom SDC Host

If you have created your own SDC host you will need to follow the instructions to update based on how you installed Docker. If you used CentOS, yum and Docker-ce (the community edition) the preceding procedure will work.

If you have installed Docker-ee (the enterprise edtion) or used an alternate method to install Docker, the fixed versions of Docker may be different. You can check the Docker page to determine the correct versions to install: https://blog.docker.com/2019/02/docker-security-update-cve-2018-5736-and-container-security-best-practices/.
 

Bug Tracking

Cisco is continuing to evaluate this vulnerability and will update the advisory as additional information becomes available. After the advisory is marked Final, you can refer to the associated Cisco bug for further details: 

CSCvo33929-CVE-2019-5736: runc container breakout

  • Was this article helpful?