CVE-2022-27650: Crun and Moby (Docker Engine) Containers Start Incorrectly with Non-Empty Default Permissions – Exploit Details, Code Snippets & Official References

In the world of containerization, security is of utmost importance. With that said, it's crucial that security issues are identified and fixed in a timely fashion. CVE-2022-27650 is the identifier for two flaws found in crun and Moby (Docker Engine). These vulnerabilities stem from containers being started incorrectly with non-empty default permissions, which allows potential exploits.

In this post, we will discuss the details of these vulnerabilities, share code snippets to highlight the issue, and provide links to original references, ultimately helping you understand the implications of this flaw and take appropriate measures.

Crun Flaw Overview

Crun is a lightweight, fast, and secure container runtime. It's meant to be a drop-in alternative for runc. The flaw found in crun is that containers are being incorrectly started with non-empty default permissions.

Moby (Docker Engine) Flaw Overview

Moby is an open source framework that powers Docker Engine. Within Moby, the same vulnerability that affects crun has been found. Containers are started incorrectly with non-empty inheritable Linux process capabilities.

Exploit Details

An attacker with access to programs with inheritable file capabilities can exploit this flaw, ultimately able to elevate those capabilities to the permitted set when execve(2) is executed. This may lead to a container breakout and arbitrary code execution on the host.

Below is a code snippet demonstrating the issue

// Code snippet demonstrating incorrect container startup with non-empty default permissions
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/prctl.h>
#include <linux/capability.h>

void trigger_vulnerability() {
    // Capabilities before execve
    cap_t caps = cap_get_proc();
    printf("Before execve: %s\n", cap_to_text(caps, NULL));
    cap_free(caps);

    // Execute vulnerable program with inheritable capabilities
    char *argv[] = {"/path/to/vulnerable/program", NULL};
    execve(argv[], argv, NULL);

    perror("execve"); // Only reached if execve fails
}

int main() {
    // Set inheritable capabilities
    cap_t caps = cap_get_proc();
    cap_set_flag(caps, CAP_INHERITABLE, <necessary_capabilities>, <capability_values>);
    cap_set_proc(caps);

    trigger_vulnerability();

    return ;
}

Mitigation Suggestions

To mitigate these vulnerabilities, it's essential to ensure proper handling of Linux process capabilities during container initialization. Vendors are advised to apply available patches and updates to crun and Moby (Docker Engine) to prevent these vulnerabilities from being exploited.

To receive updated versions of crun, Moby (Docker Engine), and other container runtimes with the necessary patches, we recommend visiting the respective project's GitHub repositories:

- Crun: https://github.com/containers/crun
- Moby: https://github.com/moby/moby

Final users should ensure that they are using the latest, patched versions of these container runtimes while maintaining regular updates.

Conclusion

CVE-2022-27650 details the exploitability of a serious vulnerability found within crun and Moby (Docker Engine). With containers being started incorrectly with non-empty default permissions, attackers can potentially gain unauthorized access and capabilities. By understanding this vulnerability and ensuring that proper updates are applied, users can help maintain the security of their containerized environments.

Timeline

Published on: 04/04/2022 20:15:00 UTC
Last modified on: 04/13/2022 17:12:00 UTC