How You Can Defend Containers Against Linux Stack Clash Exploits

For those responsible for container security within their organizations, “clashing” is now much more than just a fashion faux pas: The recently discovered Linux Stack Clash vulnerability (CVE-2010-2240) is a serious threat that attackers can exploit to gain root privileges within a container. Worse, if the exploit is applied in the host’s user space, it represents a critical danger in which an attacker could compromise running containers (or the Docker daemon itself).

Identified by researchers working at the security vendor Qualys, the vulnerability enables attackers to clash the stack with another memory region, such as the heap, and exploit a flaw in how memory is allocated on the stack for user space binaries—hence the “Stack Clash” name. Using this technique, attackers can jump over the stack guard gap, cause controlled memory corruption on the process stack or the adjacent memory region and then give themselves powerful system privileges. Qualys researchers showed that the stack guard pages that are intended to protect against issues of this nature can be fairly easily bypassed using Stack Clash.

Linux distributions vulnerable to this exploit include Red Hat, Debian, Ubuntu, SUSE and CentOS, and most distributions have already issued fixes. Stack Clash may be merely a local exploit in the user space, but the harm it can do shouldn’t be underestimated because of the access into the operating system (or kernel) that it can grant to attackers. Make no mistake about it: Teamed with other exploits, Stack Crash can cause significant damage to systems and has the potential to move laterally into others. Attackers using both Stack Clash and the recently discovered sudo vulnerability, for example, could gain root privileges and run any command of their choice.

In this way, containers are vulnerable to Stack Clash as well. While the correct container security settings—properly configured namespaces, cgroups, etc.—could ensure that the user space exploit cannot go beyond the container even if the attacker had gained root access within, this is somewhat wishful thinking. The combination of Stack Clash and a complementary vulnerability could succeed in breaking out of the container or the VM, likely leading to subsequent and more dangerous stages of a targeted attack.

Because of this, precautions should be taken to secure containers and hosts against Stack Clash and similar exploits. Such vulnerabilities and real-time exploits can be detected both prior to attacks and as they happen, by first scanning the container and host and introducing break out detection during run-time. Ideally, container security measures should include detection and prevention capabilities at multiple points throughout the system, in order to avert attacks before they happen and to recognize and respond effectively to those that do occur.

Organizations should utilize solutions that allow them to implement these container security measures:

  • All hosts and containers should be scanned in real-time to recognize existing vulnerabilities.
  • All hosts and containers should be monitored for unauthorized privilege escalations during run-time.
  • Detection measures should be in place to recognize container breakouts, or any attempts by attackers at lateral movement between hosts or containers.
  • Any suspicious connections should be blocked, and suspicious containers need to be quarantined and investigated.
  • Container security settings should be audited and tested periodically to ensure they meet industry standard security benchmarks, such as Docker Bench or the Kubernetes CIS Benchmark.

Unfortunately, vulnerabilities can’t always be detected before attackers can exploit them; obviously, this is true in the case of zero-day attacks. But, by implementing runtime security that is capable of discerning which connections are authorized and which are suspicious, security teams have the means of keeping their containers secure from Stack Clash-based attacks and similar exploits.

About the Author / Gary Duan

Gary Duan is the CTO at NeuVector, a Docker container network security solution that uses behavioral learning to secure containers during run-time. Gary has more than 15 years of experience in networking, security, cloud and data center software. He also holds several patents in security and data center technology. Connect with him on LinkedIn and follow him on Twitter.