CVE-2022-2995 Handling of supplementary groups in the CRI-O container engine might lead to sensitive information disclosure or data modification.

In order to exploit this vulnerability, an adversary needs to inject a malicious code in the affected container, which can be easily achieved if the supplementary groups are not correctly secured.

Supplementary (-s) groups are used to group together one or more authentication sources. For example, if a user is trying to access a web application through a role but has to use one of the following authentication sources: password, Smart card, or even a picture of the finger, the user will be grouped under one supplementary group.
On Linux distributions, supplementary groups can be created by setting the group name in the group directive in the /etc/ss/ss.conf configuration file:

In Red Hat Enterprise Linux and derivatives, the group directive is:

Supplementary groups can also be created with the groups directive in the /etc/ss/ss.conf configuration file:
Red Hat Enterprise Linux and derivatives do not ship with an implementation of this configuration file, so supplementary groups have to be created manually.

To list all the supplementary groups currently set on the system, run the following command:
Supplementary groups can be enabled or disabled by editing the configuration file and setting the group directive.
For example, to disable the ‘users’ supplementary group, the following line needs to be added:

Supplementary groups can also be disabled by unsetting them from the group directive in the /etc/ss/ss.conf

Potential Mitigation - Use Strong Authentication Sources

The best way to prevent attackers from exploiting this vulnerability is to apply strong authentication sources, such as Smart card or a picture of the finger. These authentication sources are stronger than passwords and supplementary groups that don't require physical interaction with the system. However, to make it easier for users, we need to make sure that they can easily use these authentication methods without any additional effort.

For example, when setting up a Smart card reader on a Linux system, you will be required to set an option called ‘smartcard’ in the sssd.conf configuration file:

The following line needs to be added in order for the smart card reader to work properly:

This line needs to be added in order for the smart card reader to work properly:

CVE-2022-2996

In order to exploit this vulnerability, an adversary needs to inject a malicious code in the affected container, which can be easily achieved if the supplementary groups are not correctly secured.

Supplementary (-s) groups are used to group together one or more authentication sources. For example, if a user is trying to access a web application through a role but has to use one of the following authentication sources: password, Smart card, or even a picture of the finger, the user will be grouped under one supplementary group.
On Linux distributions, supplementary groups can be created by setting the group name in the group directive in the /etc/ss/ss.conf configuration file:
In Red Hat Enterprise Linux and derivatives, the group directive is:

Supplementary groups can also be created with the groups directive in the /etc/ss/ss.conf configuration file:
Red Hat Enterprise Linux and derivatives do not ship with an implementation of this configuration file, so supplementary groups have to be created manually.
To list all the supplementary groups currently set on the system, run the following command:
Supplementary groups can be enabled or disabled by editing the configuration file and setting the group directive.
For example, to disable all of them (except for users), run this command as root:

Timeline

Published on: 09/19/2022 20:15:00 UTC
Last modified on: 09/21/2022 18:05:00 UTC

References