duo.com
Open in
urlscan Pro
143.204.98.3
Public Scan
URL:
https://duo.com/decipher/container-escape-flaw-fixed-in-cri-o-runtime-engine
Submission: On March 17 via api from US — Scanned from DE
Submission: On March 17 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
GET /decipher/search
<form class="d-search__form" action="/decipher/search" method="GET" onsubmit="submitForm(); return false; " __bizdiag="0" __biza="WJ__">
<input id="input_search" class="d-search__input" type="text" placeholder="Search..." value="">
<button class="btn-magnify js-btn-magnify"><svg class="icon-magnify-thick" viewBox="0 0 512 512">
<path
d="m430 393l-114-114c13-20 22-44 22-71 0-69-56-125-126-125-69 0-125 56-125 125 0 69 56 126 125 126 27 0 51-8 71-23l115 115c4 4 10 7 16 7 6 0 12-3 16-7 9-9 9-24 0-33z m-297-185c0-43 35-78 79-78 43 0 78 35 78 78 0 44-35 79-78 79-44 0-79-35-79-79z">
</path>
</svg></button>
</form>Text Content
* All Articles * Who We Are * * * * * Security news that informs and inspires SEARCH Mar 17, 2022 CONTAINER ESCAPE FLAW FIXED IN CRI-O RUNTIME ENGINE By Dennis Fisher Share A critical vulnerability in the CRI-O container runtime engine used in some Kubernetes clusters could allow an attacker to abuse a specific parameter to escape a given container and gain code execution as root on any of the other nodes on the cluster. The weakness enables an attacker to bypass some of the security safeguards in the CRI-O runtime that are designed to allow specific nodes to share resources with applications running on it. Exploiting the vulnerability can lead to a container escape and code execution on other nodes. Researchers at CrowdStrike discovered the bug recently and reported it to Kubernetes, which then worked with the CRI-O maintainers on a fix. The patch was released Tuesday. “The Linux kernel accepts runtime parameters that control its behavior. Some parameters are namespaced and can therefore be set in a single container without impacting the system at large. Kubernetes and the container runtimes it drives allow pods to update these “safe” kernel settings while blocking access to others,” CrowdStrike’s analysis of the flaw says. “CrowdStrike’s Cloud Threat Research team discovered a flaw introduced in CRI-O version 1.19 that allows an attacker to bypass these safeguards and set arbitrary kernel parameters on the host. As a result of CVE-2022-0811, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the “kernel.core_pattern” parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.” CRI-O is a runtime engines used on Kubernetes to allow users to deploy runtimes. It is designed as an alternative to Docker. The CrowdStrike researchers created a proof-of-concept exploit for the vulnerability, which they have named cr8escape. “Kubernetes is not necessary to invoke CVE-2022-8011. An attacker on a machine with CRI-O installed can use it to set kernel parameters all by itself. We used Kubernetes in this POC to better illustrate the potential impact of the problem and to more closely simulate how this would likely be used in the wild,” the researchers said. The vulnerability is patched in version 1.23.2 of CRI-O. Kubernetes Related Cloud ATTACKERS USE CLOUD TOOL TO TARGET DOCKER, KUBERNETES An attack group TeamTNT is using Weave Scope, an open source cloud monitoring and control tool to compromise Docker and... Kubernetes KUBERNETES LAUNCHES BUG BOUNTY Kubernetes has launched a public bug bounty program with support from Google. Kubernetes HTTP REQUEST SMUGGLING BUG IN GO AFFECTS KUBERNETES A flaw in the way Go handles some invalid HTTP headers could allow an attacker to authenticate as any user on a Kubernetes... * * * * All Articles Who We Are Copyright 2022 Duo Security Terms & Conditions Privacy Notice Top