Aqua Blog

Host Security

Hunting Rootkits with eBPF: Detecting Linux Syscall Hooking Using Tracee

Hunting Rootkits with eBPF: Detecting Linux Syscall Hooking Using Tracee

Today, cloud native platforms are increasingly using eBPF-based security technology. It enables the monitoring and analysis of applications’ runtime behavior by creating safe hooks for tracing internal functions and capturing important data for forensic purposes. Tracee is an open source runtime security and forensics …

Continue reading ›
CVE-2021-3156 sudo Vulnerability Allows Root Privileges

CVE-2021-3156 sudo Vulnerability Allows Root Privileges

A new severe vulnerability was found in Unix and Linux operating systems that allows an unprivileged user to exploit this vulnerability using sudo, causing a heap overflow to elevate privileges to root without authentication, or even get listed in the sudoers file. In this blog, I’ll go over how this CVE can be …

Continue reading ›
CVE-2019-14287 sudo Vulnerability Allows Bypass of User Restrictions

CVE-2019-14287 sudo Vulnerability Allows Bypass of User Restrictions

A new vulnerability was discovered earlier this week in the sudo package. Sudo is one of the most powerful and commonly used utilities installed on almost every UNIX and Linux-based operating system.

Continue reading ›
Mitigating High Severity RunC Vulnerability (CVE-2019-5736)

Mitigating High Severity RunC Vulnerability (CVE-2019-5736)

Yesterday it was disclosed that a new high severity (CVSS score 7.2)vulnerability (CVE-2019-5736) was found in runc, that allows an attacker to potentially compromise the container host.Patches are already available from most providers (see below). Aqua customers can also prevent this vulnerability from being …

Continue reading ›
Aqua 3.2: Preventing Container Breakouts with Dynamic System Call Profiling

Aqua 3.2: Preventing Container Breakouts with Dynamic System Call Profiling

Recently, IBM researchers weighed in on container isolation, having developed an algorithm for measuring how well it works, and reached the conclusion that "a Docker container with a well crafted seccomp profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor."

Continue reading ›
Bugs Gone Wild: Container (Stack) Clash and CVE-2017-1000253

Bugs Gone Wild: Container (Stack) Clash and CVE-2017-1000253

A “Stack Clash” is a vulnerability in the memory management of several operating systems, including Linux. It can be exploited by attackers to corrupt memory of a privileged process in order to execute arbitrary code.

Continue reading ›
DockerCon 2017: Moby, LinuxKit, Linux Containers on Windows, and More

DockerCon 2017: Moby, LinuxKit, Linux Containers on Windows, and More

Last week I attended DockerCon along with many of my colleagues at Aqua. It was a great event, with over 5,000 attendees, making it the biggest DockerCon ever. Also, this year 20% of attendees were women - still room for improvement, but we’re on the right track. As usual, it was packed with interesting announcements …

Continue reading ›
CVE-2016-9962: Run Container Run

CVE-2016-9962: Run Container Run

RunC Like the Wind

Recently, an interesting vulnerability was discovered (CVE-2016-9962) that enables container escape to the host. The vulnerability stems from a bug found in opencontainers' runc code, which is used by several container engines, including Docker.  

Continue reading ›
Dirty COW Vulnerability: Impact on Containers

Dirty COW Vulnerability: Impact on Containers

There has been plenty of buzz lately regarding an old-new privilege escalation vulnerability, adorably named “Dirty COW” after the Copy-On-Write memory protection in the Linux kernel. The whole thing started roughly eleven years ago, when a kernel developer left a race condition issue opened: “This is an ancient bug …

Continue reading ›