A newly discovered Kubernetes vulnerability could be exploited by an attacker to gain root-level access on a host machine. Discovered by CrowdStrike researchers, the vulnerability tracked as CVE-2022-0811 resides in the container runtime engine known as CRI-O.
CRI-O is an open-source application of Container Runtime Interface (CRI) in Kubernetes. Specifically, CVE-2022-0811, also referred to as cr8escape, exists in the association between the Linux kernel and the CRI-O.
The container runtime or CRI-O serves several different functions. One of these functions is to safely share each node’s kernel and resources with the various containerized applications running on it. There are safeguards in Linux to disallow alteration of a kernel setting in one or more containers or even the entire host system when any single kernel setting is altered.
But the introduction of sysctl support in version 1.19 sent the system haywire. sysctl, a tool/command that allows changing kernel parameters at runtime, was discovered to set any kernel parameters passed without validation blindly. Tim Mackey, a principal security strategist at the Synopsys Cybersecurity Research Center, highlighted the prevalence of errors in implementing newer software. He said, “CVE-2022-0811 serves as a reminder that more often than we’d care to admit, software implementation errors often follow patterns.â€
He adds, “For years security professionals have highlighted the impact of SQL injection, or SQLi, as a means to change the behavior of an application. This common attack pattern is part of most security training programmes, but it is also that pattern we see as an attack pattern with CVE-2022-0811.â€
See More: Dirty Pipe Flaw in Linux Kernel Lets Hackers Overwrite Root Files, Escalate Privileges
Through CVE-2022-0811, CRI-O version 1.19 can thus allow an attacker to bypass the Linux safeguards, escape from a Kubernetes container, and set arbitrary kernel parameters on the container host. CrowdStrike researchers said, “As a result of CVE-2022-0811, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the ‘kernel.core_pattern’ parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.â€
Mackey said a “lack of validation in CRI-O for system controls allows commands to be chained. When chained, it’s possible for an attacker to perform a privilege escalation on a specific host within a cluster.â€
cr8escape is a zero-day vulnerability with a CVSS score of 8.8 out of 10. It can allow arbitrary code to be executed, even on systems that do not run Kubernetes. This opens up vulnerable systems to potential malware attacks and data exfiltration and allows attackers to move laterally across containers.
Red Hat OpenShift and Oracle Container Engine for Kubernetes may also be vulnerable to cr8escape, according to CrowdStrike.Â
CrowdStrike researchers disclosed the vulnerability discreetly to Kubernetes. A patch for the cr8escape was released this week and is available hereOpens a new window . Users are advised to update CRI-O immediately to v1.23.2. This is the best way to eliminate the problem at hand.
If the CRI-O update cannot be applied immediately, CrowdStrike also laid out two remediation measures at the Kubernetes level. The “ideal†way is to “use policies to block pods that contain sysctl settings with “+†or “=†in their value.†The “less ideal alternative,†the researchers said, is to block sysctls using the PodSecurityPolicy forbiddenSysctls field completely. This is because the malicious setting is smuggled in a value.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!