CVE-2022-27651 - How A Linux Container Bug in Buildah and Docker Let Attackers Boost Their Privileges

In early 2022, security researchers discovered a critical flaw impacting both Buildah and Docker (Moby) — the backbone tools for building and running containers. This vulnerability, tracked as CVE-2022-27651, let attackers sneakily expand their privileges inside containers by exploiting Linux capabilities passed along to containerized processes. This post will break down how it happened, who’s impacted, and what you can do about it, all in plain English.

What Exactly Happened?

Containers like those built using Buildah or Docker should ideally run with the least power possible — that means minimal Linux capabilities. Unfortunately, due to the issues behind CVE-2022-27651, containers started up with more inherited capabilities than they should have.

Let’s translate that

- Linux capabilities: These are privileges for processes, like CAP_NET_ADMIN (network admin stuff), CAP_SYS_ADMIN (super admin), etc.
- Inheritable set: Capabilities you _could_ gain if you run specific binaries (for example, ping with network capabilities).

Because containers had a non-empty (not zeroed) _inheritable_ set by default, anyone running certain tools or scripts inside those containers could grab more privileges than intended.

In Linux, running a binary marked with a file capability, like

sudo setcap cap_net_raw+ep /usr/bin/ping

...lets any user use raw network functions via /usr/bin/ping.

Inside a vulnerable container with a _non-empty effective_ and _inheritable_ capability set, you could run:

/usr/bin/ping 8.8.8.8

With the right attack, when execve() is called, the process could inherit more capabilities from the _inheritable_ set — pushing those rights into its _permitted_ set. In other words, stuff you weren't supposed to ever do in the container just became possible!

Potentially attack the host system indirectly

Impact: Confidentiality and integrity inside (and sometimes _outside_) the affected container are put at risk.

Let’s demonstrate with a simplified example

Suppose the container starts with inheritable capabilities, including CAP_NET_RAW.

Check our available capabilities inside the container:

cat /proc/self/status | grep Cap

Look at the CapInh (inheritable) and CapPrm (permitted). You’d expect CapInh to often be zero. In the buggy containers, it wasn’t.

Run a setcap-enabled binary:

setcap cap_net_raw+ei /tmp/mybinary   # Give inheritable and effective RAW NET

// mybinary.c: Simple C file to demo new capabilities
#include <stdio.h>
#include <unistd.h>
int main() {
    printf("Hello from privileged binary!\n");
    // Try to perform privileged action (like opening raw socket)
}

Inherit more capabilities than expected on execve:

Running /tmp/mybinary inside the vulnerable container would inherit the raw network capability, even if the container config didn’t explicitly grant it.

The Underlying Issue in the Code

Before the patch, configuration for containers (especially around process capabilities) looked something like:

process.Capabilities = []string{"CAP_CHOWN", "CAP_NET_RAW", "CAP_SYS_ADMIN"}  // etc

Whenever a container was launched, instead of setting inheritable to empty, it sometimes inherited the default list from the image or the Docker host.

After the fix, the runtime ensures that containers start with an empty inheritable capability set, so no extra privileges are passed along during execve.

Timeline & Affected Systems

- Products: Docker Engine (Moby), Buildah, and downstream tools using similar container runtime code.

Announced: Early March 2022

- Fixes released: Moby PR #43191 and Buildah PR #3783

If you're running containers based on these projects, update immediately.

References & Further Reading

- NVD: CVE-2022-27651
- Docker Engine Security Advisory (GHSA-47g7-2f2w-7h88)
- Buildah Security Advisory
- Linux Capabilities Explained (Red Hat)

If you run Docker, Buildah, or related container systems

1. Patch immediately: Update Docker to version 20.10.15+ and Buildah to 1.25.1+, or latest available for your distribution.
2. Review container images: Make sure you don't have binaries with dangerous capabilities (setcap).

Conclusion

CVE-2022-27651 might look like a minor misconfiguration at first—but in containerized environments, small bugs can open big doors. By understanding Linux capabilities and always running updated software, you can keep your workloads secure and robust.

Stay safe, and never trust your containers by default!

Timeline

Published on: 04/04/2022 20:15:00 UTC
Last modified on: 05/07/2022 07:15:00 UTC