CVE-2022-0811 A flaw was found in CRI-O in the way it set kernel options for a pod

CVE-2022-0811 A flaw was found in CRI-O in the way it set kernel options for a pod

The issue is present in the way CRI-O sets the “cri-tools=” kernel option. This option controls the list of external tools that CRI-O can use to setup networking and attach to a container. An attacker can exploit this issue by setting this option to a malicious value and deploying a pod with CRI-O on the Kubernetes master or any node where CRI-O is enabled. An example of a vulnerable setup is shown below.  nvidia-vmd or nvidia-gpu are CRI-O enabled container images that are used to manage CRI-O enabled NVIDIA GPU devices.
To exploit the issue, an attacker needs to modify the “cri-tools=” option from its default value of “cri-load-linux-modules” to “cri-load-nvidia-modules” and deploy a pod with CRI-O on the Kubernetes master or any node where CRI-O is enabled.

Once the above pod is running, an attacker can modify the “cri-tools=” option to have a value of “cri-load-nvidia-modules” to exploit this issue and achieve arbitrary code execution as root on the cluster node where the pod with CRI-O is running.
To help prevent this issue from being exploited, the “cri-tools=

Example of a vulnerable setup

One example of a setup that can be vulnerable to CVE-2022-0811 is shown below.

In this setup, nvidia-vmd and nvidia-gpu are CRI-O enabled container images that are used to manage CRI-O enabled NVIDIA GPU devices.
By setting the value of cri-tools from “cri-load-linux-modules” to “cri-load-nvidia-modules” and deploying a pod with CRI-O on the Kubernetes master or any node where CRI-O is enabled, an attacker can exploit this vulnerability by modifying the “cri-tools=” option to have a value of “cri-load-nvidia-modules”, which allows them to achieve arbitrary code execution as root on the cluster node where the pod with CRI-O is running.
This vulnerability could also be exploited if nvidia --vmd is not configured in kubeadm.
To help prevent this issue from being exploited, we recommend you configure nvidia --vmd in kubeadm, or disable CRI on your Kubernetes cluster.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe