A new Linux privileged escalation vulnerability in Cgroups feature could cause container escape on unhardened hosts. This is the third in a line of similar Kernel vulnerabilities found recently that could allow containers to escape.
Control groups, also known as cgroups, is a Linux kernel feature used to organize processes into hierarchical groups and is a building block of containers.
Red Hat issued a security advisory on Feb 6, 2022 on the Linux vulnerability CVE-2022-0492 that could allow an attacker to abuse the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
RedHat said the vulnerability is blocked by default via the SELinux policy on the OCP cluster nodes.
However, researchers at Palo Alto Networks Unit 42 group issued new guidance on the importance of hardening container environments against these types of kernel vulnerabilities that could result in execution of arbitrary code.
“If you run containers without best practice hardenings, or with additional privileges, you may be at risk,” Unit 42 wrote in a blog post.
“Aside from containers, the vulnerability can also allow root host processes with no capabilities, or non-root host processes with the CAP_DAC_OVERRIDE capability, to escalate privileges and attain all capabilities. This may allow attackers to circumvent a hardening measure used by certain services, which drop capabilities in an attempt to limit impact if a compromise occurs.”
Moreover, Unit 42 noted CVE-2022-0492 is now the third kernel vulnerability in recent months.
Earlier this year, researchers found a High risk buffer heap overflow vulnerability (CVE-2022-0185) that could allow processes inside a Linux user namespace to escape (such as containers running on systems).
After an exploit was already developed, security experts then used this vulnerability to try to break out of Google’s Kubernetes CTF platform (also known as kCTF).
In January this year, a third “trivially exploitable” local privilege escalation vulnerability (CVE-2021-4034) was found in Polkit’s pkexec tool that affects likely every major Linux distribution.
Experts warned at that time the Polkit vulnerability “had been hiding in plain sight for 12+ years” (since pkexec was first introduced in 2009).
- Siloscape: The first malware to target Windows containers
- PwnKit: “Trivially exploitable” vulnerability found in Linux Polkit’s pkexec tool
- Ubuntu 21.04 (Hirsute Hippo) end-of-life January 20, 2022
- Two Kubernetes vulnerabilities patched
- Serious open-source container vulnerability
- Misconfigured Docker containers abused to deliver cryptocurrency mining malware
- What Are Application Containers And How Do I Secure Them?
- Microsoft container tool patch