A new high-severity Linux kernel vulnerability could have been abused to escape a container in order to execute arbitrary commands on the host. The vulnerability is tracked as CVE-2022-0492, and has been detailed by Palo Alto Unit 42 Networks researchers.
CVE-2022-0492 Linux Kernel Bug in Detail
According to Palo Alto’s post, “on Feb. 4, Linux announced CVE-2022-0492, a new privilege escalation vulnerability in the kernel. CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers.” It is noteworthy that the vulnerability is considered as one of the simplest, recently discovered Linux privilege escalation bugs. At its core, the Linux kernel mistakenly exposed a privileged operation to unprivileged users, the report said.
The good news is that the default security hardenings in most container environments are enough to prevent container escape. More specifically, containers running with AppArmor or SELinux are safe. In case you run containers without these рrotections or with additional privileges, you may be exposed. To clear things out, the researchers compiled a list called “Am I Affected” that shows vulnerable container configurations and gives instructions on how to test whether a container environment is at risk.
CVE-2022-0492 can also allow root host processes with no capabilities, or non-root host processes with the CAP_DAC_OVERRIDE capability, to escalate privileges and achieve all capabilities. If this happens, attackers become capable of bypassing a hardening measure utilized by specific services, dropping capabilities in an attempt to limit impact in case of a compromise, Unit 42 explained.
The best recommendation is upgrading to a fixed kernel version. “For those running containers, enable Seccomp and ensure AppArmor or SELinux are enabled. Prisma Cloud users can refer to the “Prisma Cloud Protections” section for the mitigations provided by Prisma Cloud,” the report noted.
This is the third kernel bug in the past few months that allows malicious containers to escape. In all three cases, securing containers with Seccomp and either AppArmor or SELinux has been sufficient to avert container escape.
CVE-2021-43267 is another example of a Linux kernel bug, located in the Kernel’s Transparent Inter Process Communication (TIPC). The flaw could be exploited both locally and remotely, allowing for arbitrary code execution within the kernel. The result of this would be taking over vulnerable devices.