In this post, we will cover a critical vulnerability, CVE-2022-27652, that has been discovered in cri-o and Moby (Docker Engine) containers. The vulnerability stems from containers being started with non-empty default permissions and has severe security implications that must be addressed immediately. We will outline the specifics of the vulnerability, provide code snippets to showcase its potential exploits, and offer links to original references to help you address this issue on your systems.
Overview of CVE-2022-27652
A serious flaw was found in cri-o (a lightweight container runtime), where containers were incorrectly started with non-empty default permissions. Specifically, cri-o had its default configuration of inheritable process capabilities set to non-empty, which implies that any process inheriting these capabilities could have access that was not intended.
In addition, a vulnerability was discovered in the Moby container engine (Docker Engine), where containers were mistakenly started with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when the execve(2) system call executes.
These vulnerabilities can lead to severe consequences if left unaddressed. The primary concern is that an attacker with the appropriate access could use these vulnerabilities to gain elevated privileges on the host system allowing access and control that was not initially intended.
Exploit Details for CVE-2022-27652
Here's a simple code snippet that demonstrates the core issue that arises when an attacker exploits the inheritable file capabilities in question:
import os
import sys
def execve_exploit():
if os.fork() == :
os.setresuid(100, 100, 100)
os.execve("/bin/bash", ["/bin/bash", "-c", "id"], os.environ.copy())
if __name__ == '__main__':
execve_exploit()
In this example, we simulate the operating environment of a process that inherits Linux capabilities when executing the execve system call. By executing this code as a user with lower privileges than the root user, we can effectively showcase the elevation of permissions that happens due to the non-empty inheritable capabilities present in the containers.
Mitigation Tips for CVE-2022-27652
To remediate this vulnerability and secure your cri-o and Docker Engine (Moby) containers, follow these steps:
1. Update your cri-o and Docker Engine installations to the latest versions. The respective developers have released patches addressing these issues.
- For cri-o, consult the official release notes and changelog here: https://github.com/cri-o/cri-o/releases
- For Docker Engine (Moby), visit the official release page here: https://github.com/moby/moby/releases
2. Modify the default configurations for both cri-o and Docker Engine (Moby) to have their inheritable process capabilities set to empty.
- For cri-o, update your /etc/crio/crio.conf configuration file to set default_capabilities = "" and restart the cri-o service.
- For Docker Engine (Moby), add --cap-drop=all to the docker run command. This will drop all inheritable capabilities from the container process.
Conclusion
CVE-2022-27652 is a critical vulnerability that affects the cri-o container runtime and Moby (Docker Engine) containers by incorrectly starting containers with non-empty default permissions. By exploiting this vulnerability, an attacker can gain elevated privileges on the targeted host system and harm your infrastructure. To protect your systems, it is vital that you update your cri-o and Docker Engine installations immediately and adapt the appropriate configurations to mitigate the risk associated with the flaw.
For more information on this vulnerability, consult the original references here
- Official Advisory for cri-o: https://access.redhat.com/security/cve/cve-2022-27652
- Official Advisory for Docker Engine (Moby): https://access.redhat.com/security/cve/cve-2022-27652
Stay vigilant and secure your systems by regularly checking for updates and applying security patches as they become available.
Timeline
Published on: 04/18/2022 17:15:00 UTC
Last modified on: 04/27/2022 00:22:00 UTC