Security Engineer Andy Nguyen, who works for Google in Switzerland, discovered and responsibly disclosed a vulnerability in Netfilter, tracked as CVE-2021-22555, which can be exploited to allow an attacker to break out of a Kubernetes pod and gain root privileges on the underlying Linux system. The vulnerability was reported to the Linux kernel security group in April 2021 and was patched shortly thereafter. The public announcement and proof-of-concept code for the exploit were delayed until July 7th to allow organizations enough time to patch vulnerable systems. The vulnerability was complicated to find an exploit for, and made use of a flaw in the Netfilter code in which memset() is called to set four bytes in memory to the value 0, but the memory address to be set was able to be controlled by an attacker from an unprivileged user process. While it may not seem that dangerous to allow a user to control which four bytes in memory are set to zero by the kernel, Nguyen’s thorough investigation led to discovering exactly how to turn that small measure of control into root access for an attacker, if they had already achieved some access to the system.
Responsible disclosure by security researchers is critical to software security. All companies that develop software should have a mechanism for researchers to report vulnerabilities, and a process established to quickly investigate and remediate any security problems that are found. In this case, the Linux kernel security group was able to get a patch out within days of reporting, and Linux distribution maintainers had adequate time to release patches before the vulnerability and exploit were publicly released. Organizations should continue to pay attention to security announcements from product vendors and apply patches as soon as practical through a vulnerability management and testing process. Once an exploit has been publicly released, threat actors are quick to make use of it against any unpatched systems they find.