A recently disclosed security vulnerability in the Kubernetes container engine CRI-O identified as cr8escape could be exploited by an attacker to crack out of containers and receive root obtain to the host.
“Invocation of CVE-2022-0811 can permit an attacker to carry out a variety of actions on objectives, such as execution of malware, exfiltration of info, and lateral movement across pods,” CrowdStrike scientists John Walker and Manoj Ahuje stated in an examination published this week.
A light-weight different to Docker, CRI-O is a container runtime implementation of the Kubernetes Container Runtime Interface (CRI) that’s applied to pull container illustrations or photos from registries and start an Open up Container Initiative (OCI)-compatible runtime these kinds of as runC to spawn and run container processes.
The vulnerability is rated 8.8 on the CVSS vulnerability scoring method and influences CRI-O variations 1.19 and afterwards. Pursuing responsible disclosure, patches have been released to tackle the flaw in version 1.23.2 transported on March 15, 2022.
CVE-2022-0811 stems from a code modify launched in edition1.19 to set kernel options for a pod, resulting in a scenario where a negative actor with permissions to deploy a pod on a Kubernetes cluster applying the CRI-O runtime can get benefit of the “kernel.core_pattern” parameter to obtain container escape and arbitrary code execution as root on any node in the cluster.
The parameter “kernel.main_pattern” is employed to specify a sample name for a core dump, which is a file made up of the memory snapshot of a system at a particular time which is commonly activated in reaction to unforeseen crashes or when the system terminates abnormally.
“If the 1st character of the pattern is a ‘|’ [a pipe], the kernel will treat the relaxation of the pattern as a command to run. The main dump will be created to the normal input of that program alternatively of to a file,” reads the Linux kernel documentation.
Therefore, by placing this choice to level to a malicious shell script and triggering a core dump, the vulnerability leads to the invocation of the script, successfully reaching distant code execution and granting the adversary the means to take about the node.
“Kubernetes is not needed to invoke CVE-2022-8011,” the scientists pointed out. “An attacker on a equipment with CRI-O set up can use it to set kernel parameters all by alone.”
Located this report fascinating? Adhere to THN on Facebook, Twitter and LinkedIn to study additional exclusive material we post.
Some parts of this article are sourced from:
thehackernews.com