Cyber Security: Cyber Daily

Attackers can exploit a previously unknown security vulnerability in the Kubernetes container engine CRI-O labelled cr8escape. The attacker can exploit the vulnerability to escape the container and get root access to the host. 

“Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including the execution of malware, exfiltration of data, and lateral movement across pods,” CrowdStrike researchers John Walker and Manoj Ahuje said in an analysis published this week.

CRI-O, lighter alternative to Docker, is a container runtime implementation of Kubernetes Container Runtime Interface (CRI). CRI-O takes out container images from registries and launches an Open Container Initiative (OCI)—compatible runtime such as runC— to initiate and execute container processes.

CVSS rates the vulnerability 8.8, and the vulnerability impacts CRI-O versions 1.19 and above. Patches have been released after responsible disclosure; the patches come with version 1.23.2, shipped on March 15, 2022.

CVE-2022-0811 has its root in a code change done to version1.19, which led to kernel options for a pod, as a result, a bad actor with permissions to plant pod on a Kubernetes cluster through CRI-O runtime can exploit the “”kernel.core_pattern” parameter”  to get out of the container and execute an arbitrary code as root on any node in the cluster.

The parameter “kernel.core_pattern” specifies a pattern name for a core dump, which is a file that has the memory snapshot of a program at a certain time that’s triggered in response to unexpected crashes or when the process ends weirdly. 

“If the first character of the pattern is a ‘|’ [a pipe], the kernel will treat the rest of the pattern as a command to run. The core dump will be written to the standard input of that program instead of to a file,” reads the Linux kernel documentation.

Therefore, by scheming to identify a malicious shell script and activating a core dump, the vulnerability gives rise to script invocation, which leads to remote execution of code and allows the adversary to control the node.

“Kubernetes is not necessary to invoke CVE-2022-8011,” the researchers pointed out. “An attacker on a machine with CRI-O installed can use it to set kernel parameters all by itself.”