Container vulnerability opens door for supply chain attacks

A vulnerability in the way Linux machines handle containers may be leaving the door open to remote takeover attacks.

CrowdStrike researchers, who discovered the flaw, said that the CRI-O container engine and the Linux kernel are the source of CVE-2022-0811, an elevation-of-privilege vulnerability that could allow an attacker to elevate their privilege from local user to administrator. CRI-O is an open source implementation of Kubernetes' Container Runtime Interface (CRI).

Updating to the latest version of CRI-O will prevent exploitation of the bug. The bug has been given the nickname "Cr8escape."

While elevation-of-privilege flaws are generally not considered high-risk vulnerabilities, in the context of containers like Kubernetes, a successful exploit would allow an attacker to get remote control over servers and potentially poison the container with attack code.

In the wild, that sort of attack could become a supply chain attack, where the attacker is able to compromise a developer's environment and push poisoned software updates to end users and customers.

"It is possible for an attacker to conduct a supply chain attack exploiting this vulnerability," CrowdStrike senior director of cloud security engineering Sasan Padidar told SearchSecurity.

"All of this is managed via code and does not require access to a host."

A textbook example of such an attack was the 2021 SolarWinds attack, when Russian state-sponsored hackers were able to compromise the software update pipeline of the IT management software maker to push malware onto thousands of customer servers and administrator systems.

The vulnerability itself involves the way CRI-O containers interact with the Linux kernel. Because earlier versions of CRI-O do not properly check system privileges and set permissions, it would be possible for an attacker to create a container that was able to reset its user privileges and turn itself from an end user account to an administrator.

"As a result of CVE-2022-0811, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the 'kernel.core_pattern' parameter to achieve container escape and arbitrary code execution as root on any node in the cluster," CrowdStrike researchers John Walker and Manoj Ahuje wrote in a blog post.

What's worse, the researchers said, is that the targets don't even need to be running Kubernetes in order to be attacked.

"Kubernetes is not necessary to invoke CVE-2022-8011," Walker and Ahuje wrote.