A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host.
“Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods,” CrowdStrike researchers John Walker and Manoj Ahuje said in an analysis published this week.
A lightweight alternative to Docker, CRI-O is a container runtime implementation of the Kubernetes Container Runtime Interface (CRI) that’s used to pull container images from registries and launch an Open Container Initiative (OCI)-compatible runtime such as runC to spawn and run container processes.
The vulnerability is rated 8.8 on the CVSS vulnerability scoring system and affects CRI-O versions 1.19 and later. Following responsible disclosure, patches have been released to address the flaw in version 1.23.2 shipped on March 15, 2022.
CVE-2022-0811 stems from a code change introduced in version 1.19 to set kernel options for a pod, resulting in a scenario where a bad actor with permissions to deploy a pod on a Kubernetes cluster using the CRI-O runtime can take advantage of the “kernel.core_pattern” parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.
The parameter “kernel.core_pattern” is used to specify a pattern name for a core dump, which is a file containing the memory snapshot of a program at a specific time that’s typically activated in response to unexpected crashes or when the process terminates abnormally.
“If the first character of the pattern is a ‘|’ [a pipe], the kernel will treat the rest of the pattern as a command to run. The core dump will be written to the standard input of that program instead of to a file,” reads the Linux kernel documentation.
Therefore, by setting this option to point to a malicious shell script and triggering a core dump, the vulnerability leads to the invocation of the script, effectively achieving remote code execution and granting the adversary the ability to take over the node.
“Kubernetes is not necessary to invoke CVE-2022-8011,” the researchers pointed out. “An attacker on a machine with CRI-O installed can use it to set kernel parameters all by itself.”