CVE-2022-0185 is a Linux kernel bug first reported last week by the Crusaders of Rust CTF team (CoR) that affects versions 5.1-rc1 through the latest versions (5.4.183, 5.10.93,5.15.1). Specifically, this bug is a heap overflow bug in legacy_parse_param() that can be exploited for arbitrary code execution (ACE) or denial of service (DoS) via a system crash. Debian 11, Ubuntu 20+, and Red Hat Enterprise 8.4 GA+ are among the distributions affected. Container escape in Kubernetes is achieved by leveraging an unprivileged namespace or using “unshare” to enter a namespace with the CAP_SYS_ADMIN permission. Researchers from Aquasec observed that default configurations using Docker in a Kubernetes cluster are vulnerable, resulting in shell access with root privileges. A limited proof of concept (PoC) from CoR is currently public and a full exploit PoC is anticipated to be made available by next week.
Analyst Notes
Since the CoR team has stated that full exploit code will be released next week, and researchers have indicated that this exploit is easy to leverage, Binary Defense recommends adopting the security advisory mitigations as appropriate for each organization’s environment, and to prioritize patching Linux kernels to the latest version when released for the relevant distribution. Full details are in the advisories linked below, but for example, unprivileged namespaces can be disabled in Ubuntu 20+ via
sysctl -w kernel.unprivileged_userns_clone=0
And in RedHat via
# echo “user.max_user_namespaces=0” > /etc/sysctl.d/userns.conf
# sysctl -p /etc/sysctl.d/userns.conf
Modern computing systems, whether open or closed source, are complex and zero-day vulnerabilities cannot be avoided in an enterprise environment. Moreover, patching can introduce new vulnerabilities or systemic issues, which means that a defense-in-depth strategy focusing on post-exploitation detection and response is an essential feature of risk mitigation in today’s threat environment.
https://www.bleepingcomputer.com/news/security/linux-kernel-bug-can-let-hackers-escape-kubernetes-containers/#.YfBlUOl3xAg.twitter
https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes
https://github.com/Crusaders-of-Rust/CVE-2022-0185
https://ubuntu.com/security/CVE-2022-0185
https://access.redhat.com/security/cve/CVE-2022-0185
