Security News > 2022 > March > New Vulnerability in CRI-O Engine Lets Attackers Escape Kubernetes Containers

A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host.

A lightweight alternative to Docker, CRI-O is a container runtime implementation of the Kubernetes Container Runtime Interface that's used to pull container images from registries and launch an Open Container Initiative-compatible runtime such as runC to spawn and run container processes.

The vulnerability is rated 8.8 on the CVSS vulnerability scoring system and affects CRI-O versions 1.19 and later.

19 to set kernel options for a pod, resulting in a scenario where a bad actor with permissions to deploy a pod on a Kubernetes cluster using the CRI-O runtime can take advantage of the "Kernel.core pattern" parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.

The parameter "Kernel.core pattern" is used to specify a pattern name for a core dump, which is a file containing the memory snapshot of a program at a specific time that's typically activated in response to unexpected crashes or when the process terminates abnormally.

"If the first character of the pattern is a '|' [a pipe], the kernel will treat the rest of the pattern as a command to run. The core dump will be written to the standard input of that program instead of to a file," reads the Linux kernel documentation.

News URL

https://thehackernews.com/2022/03/new-vulnerability-in-cri-o-engine-lets.html