Security Engineer Andy Nguyen, who works for Google in Switzerland, discovered and responsibly disclosed a vulnerability in Netfilter, tracked as CVE-2021-22555, which can be exploited to allow an attacker to break out of a Kubernetes pod and gain root privileges on the underlying Linux system. The vulnerability was reported to the Linux kernel security group in April 2021 and was patched shortly thereafter. The public announcement and proof-of-concept code for the exploit were delayed until July 7th to allow organizations enough time to patch vulnerable systems. The vulnerability was complicated to find an exploit for, and made use of a flaw in the Netfilter code in which memset() is called to set four bytes in memory to the value 0, but the memory address to be set was able to be controlled by an attacker from an unprivileged user process. While it may not seem that dangerous to allow a user to control which four bytes in memory are set to zero by the kernel, Nguyen’s thorough investigation led to discovering exactly how to turn that small measure of control into root access for an attacker, if they had already achieved some access to the system.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased