We have a special treat for you today, folks. Back in August, we brought you news about a Windows 95 “app” that was developed by Felix Rieseberg using Electron. The Windows 95 port was mostly a faithful recreation of the original groundbreaking PC operating system complete with playable classics like Minesweeper and Solitaire.
Rieseberg is

This morning a container escape vulnerability in runc was announced. We wanted to provide some guidance to Kubernetes users to ensure everyone is safe and secure.

What Is Runc?

Very briefly, runc is the low-level tool which does the heavy lifting of spawning a Linux container. Other tools like Docker, Containerd, and CRI-O sit on top of runc to deal with things like data formatting and serialization, but runc is at the heart of all of these systems.

Kubernetes in turn sits on top of those tools, and so while no part of Kubernetes itself is vulnerable, most Kubernetes installations are using runc under the hood.

What Is The Vulnerability?

While full details are still embargoed to give people time to patch, the rough version is that when running a process as root (UID 0) inside a container, that process can exploit a bug in runc to gain root privileges on the host running the container. This then allows them unlimited access to the server as well as any other containers on that server.

If the process inside the container is either trusted (something you know is not hostile) or is not running as UID 0, then the vulnerability does not apply. It can also be prevented by SELinux, if an appropriate policy has been applied. RedHat Enterprise Linux, CentOS, and Fedora all include appropriate SELinux permissions with their packages and so are believed to be unaffected.

The most common source of risk is attacker-controller container images, such as unvetted images from public repositories.

What Should I Do?

As with all security issues, the two main options are to mitigate the vulnerability or upgrade your version of runc to one that includes the fix.

As the exploit requires UID 0 within the container, a direct mitigation is to ensure all your containers are running as a non-0 user. This can be set within the container image, or via your pod specification:

apiVersion: v1
kind: Pod
metadata:
 name: run-as-uid-1000
spec:
 securityContext:
 runAsUser: 1000
 # ...

This can also be enforced globally using a PodSecurityPolicy:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
 name: non-root
spec:
 privileged: false
 allowPrivilegeEscalation: false
 runAsUser:
 # Require the container to run without root privileges.
 rule: 'MustRunAsNonRoot'

Setting a policy like this is highly encouraged given the overall risks of running as UID 0 inside a container.

Another potential mitigation is to ensure all your container images are vetted and trusted. This can be accomplished by building all your images yourself, or by vetting the contents of an image and then pinning to the image version hash (image: external/someimage@sha256:7832659873hacdef).

Upgrading runc can generally be accomplished by upgrading the package runc for your distribution or by upgrading your OS image if using immutable images. This is a list of known safe versions for various distributions and platforms:

• Ubuntu – runc 1.0.0~rc4+dfsg1-6ubuntu0.18.10.1
• Debian – runc 0.1.1+dfsg1-2
• RedHat Enterprise Linux – docker 1.13.1-91.git07f3374.el7 (if SELinux is disabled)
• Amazon Linux – docker 18.06.1ce-7.25.amzn1.x86_64
• CoreOS – 2051.0.0
• Kops Debian – in progress
• Docker – 18.09.2

Some platforms have also posted more specific instructions:

Google Container Engine (GKE)

Google has issued a security bulletin with more detailed information but in short, if you are using the default GKE node image then you are safe. If you are using an Ubuntu or CoreOS node image then you will need to mitigate or upgrade to an image with a fixed version of runc.

Amazon Elastic Container Service for Kubernetes (EKS)

Amazon has also issued a security bulletin with more detailed information. All EKS users should mitigate the issue or upgrade to a new node image.

Docker

We don’t have specific confirmation that Docker for Mac and Docker for Windows are vulnerable, however it seems likely. Docker has released a fix in version 18.09.2 and it is recommended you upgrade to it. This also applies to other deploy systems using Docker under the hood.

If you are unable to upgrade Docker, the Rancher team has provided backports of the fix for many older versions at github.com/rancher/runc-cve.

Getting More Information

If you have any further questions about how this vulnerability impacts Kubernetes, please join us at discuss.kubernetes.io.

If you would like to get in contact with the runc team, you can reach them on Google Groups or #opencontainers on Freenode IRC.

Encryption certainly isn’t the sexiest of topics for most people; we want our data to be secure from nefarious sorts and then move on. The challenge with encryption is that depending on the algorithm and type of encryption used, it can consume lots of system resources. This isn’t such a big deal on high-end smartphones as many of them have

Google Fiber started off with a bang back in 2010, and has slowly expanded into some key metropolitan areas across the United States. But while Google Fiber promises symmetrical 1Gbps speeds that are the envy of many techies, parent company Alphabet has run into numerous technical, legal, and competitive challenges that have stalled the rollout

On this episode of HotHardware’s Two And Half Geeks, Marco and Dave dig into AMD’s hot new Radeon VII card, Intel’s beastly new 28-core Xeon W-3175X, Lenovo’s Yoga C630 Snapdragon 850 powered 2-in-1, EVGA’s GeForce RTX 2060 XC card and more!

Show Notes:
09:54 – EVGA GeForce RTX 2060 XC Review: Compact And Overclocked
18:20 – Lenovo Yoga

Respawn Entertainment jumped into the battle royale realm recently with a game set in the Titanfall world called Apex Legends. The game launched on February 4 and within eight hours of launch, it had 1 million people playing. Respawn is now talking up player stats a few more days post-launch, and the numbers are impressive.

Apex Legends

The war of words between America’s top carriers over 5G branding has now devolved into a lawsuit. AT&T started this whole mess then it decided to relabel its LTE-Advanced (LTE-A) network as 5G Evolution (5G E). Competing carriers cried foul as 5G E is little more than extension of 4G LTE technology and is in no way true 5G.

Sprint, the

Kids these days have no idea what the web was like in the early days, back when America On-Line trial CDs littered store counters and instead of Googling, you would Ask Jeeves. They can get a taste what online life was like in the dial-up era, though, in the most awesome of ways—by visiting Marvel’s Captain Marvel website.

Let’s talk about

Dell is one of the biggest computer manufacturers in the world and has designed some impressive laptops and 2-in-1 devices to its credit. Recently, we put the all-new 2019 XPS 13 in the slick Frost White color through its paces and came away impressed by the premium ultra-portable notebook. Dell makes all sorts of laptop and desktop computers,

During the terrible wildfires that ravaged some California counties, firefighters working to save lives and property had a problem with the cellular data service they were receiving on the Verizon network. The problem was that Verizon throttled their plan making the internet access the teams needed slower than it should have been. Verizon’s