CVE-2022-1708 An attacker with access to the Kube API can exhaust memory or disk space on a node by running an ExecSync command in a container.

The ExecSync command does not have any fields in the command itself that control the size of the output. Thus, there is no way to ensure that the command outputs within a reasonable amount of space. There are also no controls in CRI-O to prevent an attacker from crafting a large output. Thus, it is possible to craft an exploit that can exhaust the memory or disk space of the node. This is especially dangerous in environments where high performance is needed, such as when running a mission critical application. In addition, it is possible for an attacker to exploit the vulnerability and make a request that causes the node to consume a large amount of resources. This could be done by making a request that is large enough to cause a denial of service. The vulnerability is present in all versions of CRI-O, and there are no workarounds except to upgrade CRI-O to a new version. This vulnerability has been assigned the identifier CVE-2019-10208.

Vulnerability Details

The vulnerability occurs when the ExecSync command is used with a variety of different options, but it is not possible to control the size of the output. The options that lead to this issue are:  -
- execsync shell {-job} [...]
- execsync shell {} [...]
- execsync shell {} -limit 1000
- execsync shell {} -limit 0
 It is possible for an attacker to craft an exploit that causes CRI-O to use a large amount of resources. The reason this happens is that no limits are put on the size of the output. This can cause denial-of-service attacks and exhausting memory or disk space for a node running CRI-O. There are no workarounds for this vulnerability other than upgrading CRI-O to a new version.

Summary of Vulnerability

The ExecSync command outputs all the data that is sent to it, including any user input. A request made to the node could cause a denial of service if the output did not have a reasonable size. There was no way to prevent someone from crafting an exploit that would exhaust memory or disk space.

CRI-O Command Execution Through XML Data Parsing Vulnerability

CRI-O is a remote building tool that allows users to remotely control and build ARM-based boards. This includes the Raspberry Pi 3. The software can be installed on a computer and then used to control the board, as well as program it with C programs. CRI-O is vulnerable to an XML data parsing vulnerability that could allow an attacker to craft a command to execute arbitrary commands on the node. This vulnerability has been assigned the identifier CVE-2019-10208.

CRI-O Version Affected

All versions of CRI-O are susceptible to this vulnerability.

Vulnerability Description:

The ExecSync command in CRI-O does not have any fields in the command itself that control the size of the output. Thus, there is no way to ensure that the command outputs within a reasonable amount of space.

Timeline

Published on: 06/07/2022 18:15:00 UTC
Last modified on: 06/14/2022 15:44:00 UTC

References

• https://github.com/cri-o/cri-o/commit/f032cf649ecc7e0c46718bd9e7814bfb317cb544
• https://bugzilla.redhat.com/show_bug.cgi?id=2085361
• https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1708