A recently discovered Linux kernel bug could be used by hackers to escape Kubernetes containers and access critical resources on the host system.
The vulnerability, tracked as CVE-2022-0185, is currently reserved, and affects all Linux kernel versions from 5.1-rc1 to the latest releases (5.4.173, 5.10.93, 5.15.1). Security experts believe the bug is easier to exploit than initial analysis predicted and they stress the urgency of patching impacted systems before the imminent release of the exploit code.
The bug is a heap-based buffer-overflow vulnerability that affects the “File System Context” Linux kernel component. Left unpatched, this security flaw can help perpetrators perform arbitrary code executions, out-of-bounds write (OOB write), and Denial of Service (DoS) attacks.
Reportedly, triggering the flow could let attackers modify kernel memory values and gain access to processes running on the same node. Local users could also exploit this vulnerability to gain elevated privileges on the system, according to Linux distribution security notices.
For the exploit to work, the attacker must use the unshare command to enter a namespace using the CAP_SYS_ADMIN permission or leverage an unprivileged namespace. Additionally, Docker’s seccomp filter blocks unshare by default, so it’s not possible to run the command.
However, the seccomp filter is apparently disabled by default when Docker or other Container Runtime Interface (CRI) are used in a Kubernetes cluster, which unblocks the unshare command and leaves the system vulnerable. In this situation, an attacker could easily run the command, get a shell with full privileges, and execute code on the compromised system.
This flaw was discovered by William Liu and Jamie Hill-Daniel, members of the Crusaders of Rust (CoR) Capture The Flag (CTF) team that counts 21 members from the US and Europe. The team plans to release the CVE-2022-0185 exploit code in about a week, to leave enough time for patching, BleepingComputer reported.
To fend off this security flaw, administrators are urged to upgrade the Linux kernel to 5.16.2 or later, if possible. The update is not available yet for all Linux distros and if building the kernel from source is not a viable option, system administrators should take the following actions:
- Disable unprivileged user namespaces
- Ubuntu users:
sysctl -w kernel.unprivileged_userns_clone=0
- Red Hat users:
# echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf
# sysctl -p /etc/sysctl.d/userns.conf
- Ubuntu users:
- Keep only essential
CAP_SYS_ADMINpods on workloads
- Ensure that the
seccompfilter works properly (blocks the unshare command)
- Restrict container’s syscalls with
seccomp(check out Kubernetes’ in-depth tutorial)