New Linux Kernel Cgroups Vulnerability Could Allow Attackers to Escape Container


Details have emerged of a now patched high-severity vulnerability in the Linux kernel that could potentially be used to evade a container to execute arbitrary commands on the container’s host.

The shortcoming is in a Linux kernel feature called cgroups, also known as cgroups version 1 (v1), which allows processes to be organized into hierarchical groups, thus allowing the use of resources such as CPU to be limited and monitored. , memory , disk I/O and network.

Tracked as CVE-2022-0492 (CVSS score: 7.0), the issue involves an elevation of privilege case in the release_agent feature of cgroups v1, a script run after any process in the cgroup terminates.

“The problem stands out as one of the simplest Linux privilege escalations discovered in recent times: the Linux kernel mistakenly exposed a privileged operation to unprivileged users,” said Unit 42 researcher Yuval Avrahami. , in a report published this week.

Automatic GitHub backups

The manpage for cgroups explains its function as follows –

Whether or not the release_agent program is called when a particular cgroup becomes empty is determined by the value of the notify_on_release file in the corresponding cgroup directory. If this file contains the value 0, the release_agent program is not called. If it contains the value 1, the release_agent program is called. The default for this file in the root cgroup is 0.

Specifically, the Palo Alto Networks Threat Intelligence Team noted that the bug is a consequence of a missing check to verify if the process setting the release_agent file had administrative privileges, thus making it ripe for potential exploitation. .

In other words, if this release_agent file is overwritten by an attacker, the kernel may be forced to call an arbitrary binary configured in the release agent with the highest possible permissions – a scenario that could effectively allow a hold. full control of the machine.

It should be noted, however, that only processes with “root” privileges can write to the file, meaning the vulnerability only allows root processes to elevate privileges.

“At first glance, a privilege escalation vulnerability that can only be exploited by the root user may seem bizarre,” Avrahami explained. “Running as root does not necessarily mean full control over the machine: there is a gray area between the root user and full privileges that include capabilities, namespaces, and containers. In those scenarios where a root process does not have full control over the machine, CVE-2022-0492 becomes a serious vulnerability.”

Prevent data breaches

Although containers running with AppArmor or SELinux are protected against the flaw, users are recommended to apply the patches in light of the fact that it could be abused by other malicious host processes to elevate privileges.

This is far from the first time release_agent has appeared as an attack vector. In July 2017, Google Project Zero researcher Felix Wilhelm demonstrated a “quick and dirty” proof-of-concept (PoC) exploit leveraging functionality to break out of privileged Kubernetes and Docker containers.

Then, in November 2021, cloud security firm Aqua leaked details of a cryptocurrency mining campaign that used the exact same container escaping technique to drop the XMRig coin miner onto infected hosts, making it the first recorded case of real-world exploitation.

“CVE-2022-0492 marks another Linux vulnerability that can be exploited for container escaping,” Avrahami concluded. “Fortunately, environments that follow best practices are protected against this vulnerability. Environments with lax security controls hosting untrusted or publicly exposed containers are, unsurprisingly, high risk.”


Comments are closed.