CrowdStrike demonstrates dangers of container escape attacks

SAN FRANCISCO -- CrowdStrike executives outlined how a recently disclosed container vulnerability can lead to container escape attacks and complete system compromises.

Speaking at the 2022 RSA Conference, CrowdStrike CEO George Kurtz and CTO Michael Sentonas provided attendees with a real-time demonstration of an exploit for CVE-2022-0811. CrowdStrike researchers discovered the vulnerability, also known as "cr8escape," earlier this year.

First disclosed in March, cr8escape is a vulnerability in the way the Cri-O runtime handles kernel dump reports in the event of a container crash. In particular, the kernel.core_pattern reports, which are launched as root on the host machine, can be seeded with kernel commands that would otherwise be considered unsafe and disabled by default.

"When you look at system controls, they are grouped into safe and unsafe," Sentonas explained. "The problem is Cri-O validates the names into a set of known safe options, but it doesn't validate the values, which is a pretty big problem."

In a real-world scenario, the attacker could create a container image (likely one designed to impersonate a legit container) and modify the kernel.core_pattern file to include a command rather than the normal text. The command would point to the local storage path of another file in the container, such as an attack script.

From there, the malicious container would be given instructions to deliberately crash itself and cause a core dump. That would of course lead to the host machine launching the kernel.core_pattern, and thus completing the attack.

Once exploited, the attacker would be running on the host machine as root, given them the ability to install and execute remote shells, as well as have access to other containers and the ability to move laterally on the local network.

While the process of a cr8escape scenario sounds complicated, actually exploiting the flaw is a fairly straightforward process.

In a short demo onstage, Kurtz and Sentonas showed the RSA Conference crowd how an attacker would be able to pull off a successful exploit that could quickly lead to the attacker escaping container restrictions and getting access to the host system, as well as the ability to access other containers. The entire demonstration, from launch to takeover, was completed by the duo in just a few minutes.

The executives said container escape attacks and flaws such as cr8escape are particularly dangerous because they align well with recent attack trends. Because containers are mostly used by developers, bugs in the platforms will be popular targets for supply chain attacks where attackers modify a developer's code in order to get access to all their customers.

Attacks such as the 2021 Solarwinds compromise have resulted in large numbers of companies potentially having their networks left vulnerable to remote access and data theft.

"I think Kubernetes is the future of technology," Kurtz said. "And there is a lot of concern from CIOs about what can happen if you escape the container."