A critical vulnerability in the CRI-O container runtime engine used in some Kubernetes clusters could allow an attacker to abuse a specific parameter to escape a given container and gain code execution as root on any of the other nodes on the cluster.
The weakness enables an attacker to bypass some of the security safeguards in the CRI-O runtime that are designed to allow specific nodes to share resources with applications running on it. Exploiting the vulnerability can lead to a container escape and code execution on other nodes. Researchers at CrowdStrike discovered the bug recently and reported it to Kubernetes, which then worked with the CRI-O maintainers on a fix. The patch was released Tuesday.
“The Linux kernel accepts runtime parameters that control its behavior. Some parameters are namespaced and can therefore be set in a single container without impacting the system at large. Kubernetes and the container runtimes it drives allow pods to update these “safe” kernel settings while blocking access to others,” CrowdStrike’s analysis of the flaw says.
“CrowdStrike’s Cloud Threat Research team discovered a flaw introduced in CRI-O version 1.19 that allows an attacker to bypass these safeguards and set arbitrary kernel parameters on the host. As a result of CVE-2022-0811, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the “kernel.core_pattern” parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.”
CRI-O is a runtime engines used on Kubernetes to allow users to deploy runtimes. It is designed as an alternative to Docker. The CrowdStrike researchers created a proof-of-concept exploit for the vulnerability, which they have named cr8escape.
“Kubernetes is not necessary to invoke CVE-2022-8011. An attacker on a machine with CRI-O installed can use it to set kernel parameters all by itself. We used Kubernetes in this POC to better illustrate the potential impact of the problem and to more closely simulate how this would likely be used in the wild,” the researchers said.
The vulnerability is patched in version 1.23.2 of CRI-O.