New Linux Kernel Cgroups Vulnerability Could Let Attackers Escape Container

Information have emerged about a now-patched higher-severity vulnerability in the Linux kernel that could perhaps be abused to escape a container in order to execute arbitrary instructions on the container host.

The shortcoming resides in a Linux kernel aspect named regulate teams, also referred to as cgroups model 1 (v1), which lets processes to be arranged into hierarchical teams, effectively making it feasible to limit and keep an eye on the use of sources this kind of as CPU, memory, disk I/O, and network.

Tracked as CVE-2022-0492 (CVSS rating: 7.), the issue concerns a case of privilege escalation in the cgroups v1 release_agent functionality, a script which is executed adhering to the termination of any method in the cgroup.

“The issue stands out as a single of the simplest Linux privilege escalations found out in recent times: The Linux kernel mistakenly uncovered a privileged operation to unprivileged users,” Device 42 researcher Yuval Avrahami claimed in a report posted this week.

The guy web site for cgroups describes its perform as follows –

No matter if or not the launch_agent method is invoked when a particular cgroup gets vacant is determined by the price in the notify_on_launch file in the corresponding cgroup directory. If this file contains the value , then the release_agent software is not invoked. If it has the price 1, the release_agent software is invoked. The default benefit for this file in the root cgroup is .

Exclusively, the Palo Alto Networks risk intelligence group famous that the bug is a consequence of a missing verification to test no matter whether the course of action setting the launch_agent file experienced administrative privileges, thus earning it ripe for likely exploitation.

In other text, should really this release_agent file be overwritten by an attacker, the kernel can be pressured into calling an arbitrary binary configured in the release agent with the optimum attainable permissions – a situation that could effectively make it possible for a full takeover of the machine.

It really is, even so, really worth noting that only processes with “root” privileges can generate to the file, indicating that the vulnerability entirely permits root processes to escalate privileges.

“At 1st glance, a privilege escalation vulnerability that can only be exploited by the root person may look weird,” Avrahami discussed. “Jogging as root won’t essentially suggest complete command in excess of the device: There’s a grey location in between the root consumer and comprehensive privileges that contains abilities, namespaces and containers. In these scenarios wherever a root approach won’t have entire manage above the machine, CVE-2022-0492 results in being a significant vulnerability.”

Despite the fact that containers working with AppArmor or SELinux are secured from the flaw, customers are proposed to utilize the patches in light of the point that it could be abused by other malicious host processes to elevate privileges.

This is far from the very first time release_agent has emerged as an attack vector. In July 2017, Google Undertaking Zero researcher Felix Wilhelm shown a “swift and filthy” evidence-of-principle (PoC) exploit leveraging the function to break out of privileged Kubernetes and Docker containers.

Then in November 2021, cloud security organization Aqua disclosed particulars of a cryptocurrency mining campaign that applied the correct exact container escape strategy to fall the XMRig coin miner on infected hosts, producing it the initially recorded occasion of genuine-entire world exploitation.

“CVE-2022-0492 marks an additional Linux vulnerability that can be exploited for container escape,” Avrahami concluded. “The good news is, environments that comply with most effective techniques are shielded from this vulnerability. Environments with lax security controls hosting untrusted or publicly exposed containers are, unsurprisingly, at significant risk.”

Located this article intriguing? Stick to THN on Fb, Twitter  and LinkedIn to browse a lot more exclusive content material we write-up.

Some parts of this post are sourced from:
thehackernews.com