A missing check allows unprivileged attackers to escape containers and execute arbitrary commands in the kernel.
To go along with the “Dirty Pipe” Linux security bug coming to light, two researchers from Huawei – Yiqi Sun and Kevin Wang – have discovered a vulnerability in the “control groups” feature of the Linux kernel which allows attackers to escape containers, escalate privileges and execute arbitrary commands on a host machine.
The bug (CVE-2022-0492) exists in the Linux kernel’s “cgroup_release_agent_write” feature, which is found in the “kernel/cgroup/cgroup-v1.c” function.
“This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly,” according to a NIST National Vulnerability Database advisory, which has not yet reported a CVSS severity score for the bug. This allows container escape in Kubernetes environments, the researchers found – i.e., the ability to access other users’ containers in public cloud environments.
“Although containers offer a higher degree of security,” Delinea senior product marketing manager,Shweta Khare, wrote via email, “recent incidents have demonstrated that containers are being exploited often via such vulnerabilities.”
Unprivileged Users Can Perform Privileged Operations
Linux control groups – “cgroups” – allow system admins to allocate computing resources – memory, bandwidth, etc. – among whatever processes might run on a system. In the words of Red Hat – a major contributor to the Linux kernel – cgroups allow for “fine-grained control over allocating, prioritizing, denying, managing and monitoring system resources.” In the right hands cgroups are, therefore, a powerful tool for control and security over a system.
There are two kinds of cgroups architecture – called v1 and v2 – and CVE-2022-0492 affects only v1, it should be noted.
According to Palo Alto Networks researchers, who wrote their own analysis and patch for the issue, “Linux simply didn’t check that the process setting the release_agent file has administrative privileges (i.e. the CAP_SYS_ADMIN capability).”
The release_agent file “allows administrators to configure a ‘release agent’ program that would run upon the termination of a process in the cgroup,” They added. So, attackers capable of writing to the release_agent file can exploit it to gain full admin privileges.
On Feb. 4, a security researcher reported that the bug had been fixed by requiring “capabilities to set release_agent.”
According to the Github commit, “the cgroup release_agent is called with ‘call_usermodehelper.’ The function call_usermodehelper starts the release_agent with a full set of capabilities. Therefore, require capabilities when setting the release_agent.”
A flaw in cgroups might warrant particular attention because, Khare noted, “in most organizations, microservices and containers are not yet covered under the enterprise security plan.”
She added, “Enabling granular privilege management at the container platform and the container operating system layers across the development environments,” can help mitigate such vulnerabilities, even before they become widely known. Ultimately, though, patching is the most important thing.
The Latest in a Series of Kernel Bugs
Because the kernel sits at the core of a computer’s operating system, security vulnerabilities that might arise from it tend to be quite serious. Late last year, for example, a critical-heap overflow bug introduced the possibility for remote code execution and full takeover of Linux machines. That one was rated critical by NIST NVD, with a CVSS score of 9.8 out of 10.
A number of other vulnerabilities have been discovered in the kernel in only the last few months. February brought CVE-2022-0185, a “heap-based overflow flaw” with “the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length.” Like CVE-2022-0492, the flaw exposed the possibility of unauthorized privilege escalation.
More recently – just this Monday, in fact – a researcher published the details of CVE-2022-0847 (a.k.a. “Dirty Pipe”), which allows unprivileged processes to inject code into root processes, thus overwriting data in arbitrary read-only files and paving the way for privilege escalation and arbitrary code execution.
“Given the prevalence of Linux in highly sensitive infrastructure, this is a very important vulnerability to mitigate,” wrote Paul Zimski, vice president of product strategy at Automox, via email.”. “It is highly recommended that IT and SecOps admins prioritize patching and remediation of this vulnerability in the next 24 hours to reduce organizational risk.”
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.