In early 2022, security researchers uncovered a critical vulnerability tracked as CVE-2022-27649. It impacted two of the most popular container runtimes: Podman and Docker (Moby Engine). This flaw could let attackers inside containers gain higher privileges, breaking some of the key security isolation promised by containers. In this article, we’ll break down how this vulnerability works, why it matters, how to exploit it, and how to protect your systems.
What’s the Problem?
Both Podman and Docker are supposed to isolate containers from the host system. They do this using several Linux security controls, one being capabilities. Simply put, capabilities are a refined way to give processes just enough privileges to do their job, not full root.
CVE-2022-27649 exists because both Podman and Docker started containers with a non-empty list of “inheritable” Linux capabilities by default. If an attacker can run code inside that container, they can trick the Linux kernel into upgrading those “inheritable” capabilities into “permitted” ones. This lets them do more inside the container, and potentially affect the host.
Original advisory by Red Hat:
https://access.redhat.com/security/cve/CVE-2022-27649
Docker’s official CVE report:
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
Ambient: Gets inherited over execve() unless removed.
Vulnerability: Normally, “inheritable” capabilities are empty in containers. But due to the flaw, containers were started with non-empty inheritable sets – so binaries with inheritable file capabilities could upgrade these to permitted with the right trick.
The Exploit: How to Gain Extra Privileges
Suppose an attacker can run a program in a vulnerable container. If they find a binary on the container’s filesystem with a special capability set (“file capability”), and the container was started with a non-empty inheritable set, here’s how they elevate themselves:
Launch it inside the vulnerable container.
3. The Linux kernel will combine the process’s inheritable set with the file’s inheritable set at execution (execve system call), transferring any inheritable capabilities to the permitted set.
Code Snippet: Listing binaries with file capabilities
getcap -r / 2>/dev/null
Typical output
/usr/bin/ping = cap_net_raw+ep
/usr/bin/somebinary = cap_sys_admin+ep
If you can execute /usr/bin/ping (with cap_net_raw), and the inheritable set is not empty (due to the bug), you get that capability in your permitted set as well!
Quick Proof-of-Concept
Let’s demonstrate the vulnerability in a simplified way.
`bash
getcap -r / 2>/dev/null
`bash
/usr/bin/ping -c 1 127...1
Check the process’s capabilities again inside the spawned process:
This process may now have an increased permitted set, potentially allowing privilege escalation or container escape if exploited further.
Privilege escalation: Attackers can get more power inside a container, potentially breaking out.
- Container-to-host attacks: With the right capabilities (like CAP_SYS_ADMIN), attackers can manipulate the host via container escape exploits.
- Widespread impact: Almost all major Linux distributions running Docker/Podman before the patch are affected.
Original References
- Red Hat CVE Advisory
- GitHub Moby Advisory
- CVE Details
Update Docker and Podman: Make sure you’re running the latest, patched versions.
- Podman release notes
- Docker release notes
Avoid running containers as root.
- Set up runtime seccomp/apparmor profiles for extra defense.
Summary
*CVE-2022-27649* is a powerful reminder that even subtle security design mistakes – like keeping a default capability set non-empty – can have big impacts. Always keep your container tools up to date, audit permissions, and regularly review your security settings. Attackers are always watching for these cracks in the armor.
Timeline
Published on: 04/04/2022 20:15:00 UTC
Last modified on: 07/22/2022 10:32:00 UTC