A new vulnerability has been spotted recently in the Linux Control group, a Linux kernel feature that allows processes to be organized into hierarchical groups. The vulnerability is tracked as CVE-2022-0492 is a High severity vulnerability with a CVSS score of 7.0. This vulnerability allows adversaries to escape containers and could perform arbitrary command execution on the host machine. Users of containers should know about this vulnerability and fix them up as soon as possible. We have created this post to help users to learn how to fix CVE-2022-0492- Privilege escalation and container escape vulnerabilities in Cgroup.
Before we dive into fixing the vulnerability, let’s understand some basics about Cgroups.
Table of Contents
What Is Cgroups?
Control groups, referred to as cgroups, are a Linux kernel feature that allows organized processes into hierarchical groups. This feature made it a perfect building block of containers and allowed administrators to limit and isolate the resource usage of a collection of processes. Linux systems support two architectures of Cgroup, (1) v1 and (2) v2. The CVE-2022-0492 vulnerability exists in v1, which is the most prevalent architecture as of.
What Is Cgroupfs?
Cgroup is a pseudo-filesystem used as an interface to manage Cgroups. It is mounted under /sys/fs/cgroup, which is the root directory of Cgroupfs. Cgroups are divided into several subsystems to manage different resources such as memory, CPU, block IO, remote direct memory access (RDMA). For example, memory subgroup mounted on /sys/fs/cgroup/memory is used to limit the memory consumption of a collection of processes, device subgroup mounted on /sys/fs/cgroup/device is used to defines which devices can be accessed by processes in the cgroup.
Each subsystems are mounted at /sys/fs/cgroup/<subsystem>. A directory under a subgroup is called child group. For example, a docker container mounted at at /sys/fs/cgroup/<subsystem>/docker/<ctr-id> is a child group of the subgroup.
Summary Of CVE-2022-0492- Privilege Escalation And Container Escape Vulnerabilities In Cgroups:
As per the Unit 42, “At first glance, a privilege escalation vulnerability that can only be exploited by the root user may seem bizarre. In the past, this wouldn’t be considered a security issue. But today, running as root doesn’t necessarily mean full control over the machine: There’s a gray area between the root user and full privileges that include capabilities, namespaces, and containers. In these scenarios where a root process doesn’t have full control over the machine, CVE-2022-0492 becomes a serious vulnerability”.
Unit 42- Palo Alto
Associated CVE ID | CVE-2022-0492 |
Description | Privilege Escalation and Container Escape Vulnerabilities in Cgroups |
Associated ZDI ID | – |
CVSS Score | 7.0 Medium |
Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Low |
Attack Complexity (AC) | High |
Privilege Required (PR) | Low |
User Interaction (UI) | None |
Scope | Unchanged |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
Containers Vulnerable To CVE-2022-0492- Privilege Escalation And Container Escape Vulnerability In Cgroups:
The flaw doesn’t affect all the containers. The flaw can be exploited only in some circumstances.
- The container should have the v1 architecture of cgroups.
- Root privilege without the no_new_privs flag set.
- Container with disabled AppArmor or SELinux and without Seccomp features.
- On a host that enables unprivileged user namespaces.
Or
- The container should have the v1 architecture of cgroups.
- The container with CAP_SYS_ADMIN capability enabled.
- Container with disabled AppArmor or SELinux and without Seccomp features.
- Container without cgroup namespaces.
How To Test Your Container Is Vulnerable to CVE-2022-0492?
Researchers from Palo Alto’s unit 42 team has developed a script to test whether your container is vulnerable to CVE-2022-0492. You should need to pull and run the pre-build image us-central1-ocker.pkg.dev/twistlock-secresearch/public/can-ctr-escape-cve-2022-0492:latest from public repository. The container will tell you as soon as you run the image.
# Run this command to pull the container image:
$ sudo docker pull us-central1-docker.pkg.dev/twistlock-secresearch/public/can-ctr-escape-cve-2022-0492:latest
# Run this command to run the container image:
$ sudo docker run us-central1-docker.pkg.dev/twistlock-secresearch/public/can-ctr-escape-cve-2022-0492:latest
Further checks to determine the container is vulnerable to CVE-2022-0492:
Run the container by tweaking the configurations of AppArmor or SELinux and Seccomp features.
$ sudo docker run --rm -it --cap-add sys_admin us-central1-docker.pkg.dev/twistlock-secresearch/public/can-ctr-escape-cve-2022-0492:latest
$ sudo docker run --rm -it --cap-add sys_admin --security-opt apparmor=unconfined us-central1-docker.pkg.dev/twistlock-secresearch/public/can-ctr-escape-cve-2022-0492:latest
$ sudo docker run --rm -it --security-opt apparmor=unconfined --security-opt seccomp=unconfined us-central1-docker.pkg.dev/twistlock-secresearch/public/can-ctr-escape-cve-2022-0492:latest
In this scenario, we can clearly say that our container is vulnerable to the flaw. It is just protected by AppArmor or SELinux and Seccomp features.
How To Fix CVE-2022-0492- Privilege Escalation And Container Escape Vulnerabilities In Cgroups?
The flaw is patched in the latest version of the kernel. All are encouraged to upgrade to the latest kernel. Please contact your vendor or Linux distributions to get the latest versions.
In the previous session, we can say that the container is vulnerable to the flaw. It is just protected by AppArmor or SELinux and Seccomp features. Keep the AppArmor or SELinux and Seccomp features enabled until there is a permanent fix.
General mitigations are:
- Enable AppArmor or SELinux on Kubernetes.
- Enable Seccomp on Kubernetes.
- In a case of privilege escalation due to a malicious host process, you may need to disable unprivileged user namespaces using this command:
$ sudo sysctl -w kernel.unprivileged_userns_clone=0 - Palo Alto developed a script to prevent processes from setting the release_agent in any cgroup mount. This script masks all release_agent files with a read-only bind mount. If your system mounts cgroups at a different path, provide the path as an argument to the script.
#!/bin/bash
set -e
mask_dir=/var/lib/cve_2022_0492_release_agent_mask
cgroup_dir=/sys/fs/cgroup
if [ ! -z "$1" ]; then cgroup_dir=$1 ; fi
echo "[+] Creating mask at $mask_dir/mask"
sudo mkdir -p $mask_dir
sudo mount -t tmpfs release_agent_mask $mask_dir
sudo touch $mask_dir/mask
sudo mount -o remount,ro $mask_dir
for release_agent in $(find $cgroup_dir -name 'release_agent') ;do
echo "[+] Mounting read-only mask over $release_agent"
sudo mount --bind $mask_dir/mask $release_agent
done
How To Upgrade Kernel On Your Linux?
There are multiple ways to update the kernel on Linux. The best and the native way is to download and install the tested kernel package. Please contact your support to choose the best way that works for you. Just for the demonstration, we are going to show you how to upgrade the kernel on Ubuntu or Debian servers in a native way.
How to Fix CVE-2022-0492 on Ubuntu?
Note: Before you download and install on your production server, we recommend to test this on a test machine. Don’t forget to take the full VM snapshot if are upgrading kernel on a Virtual Image. Or, take filesystem back up if you have a physical server.
- Check the kernel version
Before you start upgradation, check the version of the kernel your server has. What if the kernel version is not in the list of affected versions, If so, you can schedule this later as per your time.
Run this command to check the kernel version.
$ uname -rs
- Download kernel modules 5.17
Download the kernel packages directly from the kernel.ubuntu.com website. Download the latest version available (At the bottom) from the website to a dedicated directory. Change the permission of the files to execute.
Create a directory in your path:
$ mkdir /home/arunkl/kernel-5.17
Change the directory:
$ cd /home/arunkl/kernel-5.17/
Download these two files (where X.Y.Z is the highest version):
1. linux-image-*X.Y.Z*-generic-*.deb
2. linux-modules-X.Y.Z*-generic-*.debCommands to download the kernel v5.17
$ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.17-rc7/amd64/linux-image-unsigned-5.17.0-051700rc7-generic_5.17.0-051700rc7.202203062330_amd64.deb
$ wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.17-rc7/amd64/linux-modules-5.17.0-051700rc7-generic_5.17.0-051700rc7.202203062330_amd64.debRun this command to set the files permission to execution mode:
$ chmod +x *.deb
- Install kernel module 5.17
Install the downloaded packages using the default dpkg utility then reboot the server.
$ sudo dpkg –install *.deb
$ reboot - Check the kernel version after reboot
Use the same command used in the first step. You will see upgraded kernel version if everything goes well.
$ uname -rs
We hope this post will help you in knowing How to Fix CVE-2022-0492- Privilege Escalation and Container Escape Vulnerabilities in Cgroups. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/aiops/270171.html