The issue is present in the way CRI-O sets the “cri-tools=” kernel option. This option controls the list of external tools that CRI-O can use to setup networking and attach to a container. An attacker can exploit this issue by setting this option to a malicious value and deploying a pod with CRI-O on the Kubernetes master or any node where CRI-O is enabled. An example of a vulnerable setup is shown below.  nvidia-vmd or nvidia-gpu are CRI-O enabled container images that are used to manage CRI-O enabled NVIDIA GPU devices.
To exploit the issue, an attacker needs to modify the “cri-tools=” option from its default value of “cri-load-linux-modules” to “cri-load-nvidia-modules” and deploy a pod with CRI-O on the Kubernetes master or any node where CRI-O is enabled.

Once the above pod is running, an attacker can modify the “cri-tools=” option to have a value of “cri-load-nvidia-modules” to exploit this issue and achieve arbitrary code execution as root on the cluster node where the pod with CRI-O is running.
To help prevent this issue from being exploited, the “cri-tools=

Example of a vulnerable setup

One example of a setup that can be vulnerable to CVE-2022-0811 is shown below.

In this setup, nvidia-vmd and nvidia-gpu are CRI-O enabled container images that are used to manage CRI-O enabled NVIDIA GPU devices.
By setting the value of cri-tools from “cri-load-linux-modules” to “cri-load-nvidia-modules” and deploying a pod with CRI-O on the Kubernetes master or any node where CRI-O is enabled, an attacker can exploit this vulnerability by modifying the “cri-tools=” option to have a value of “cri-load-nvidia-modules”, which allows them to achieve arbitrary code execution as root on the cluster node where the pod with CRI-O is running.
This vulnerability could also be exploited if nvidia --vmd is not configured in kubeadm.
To help prevent this issue from being exploited, we recommend you configure nvidia --vmd in kubeadm, or disable CRI on your Kubernetes cluster.

Timeline

Published on: 03/16/2022 15:15:00 UTC
Last modified on: 03/28/2022 13:18:00 UTC

References