
Kubernetes and CRI-O release patch for vulnerability today; CrowdStrike customers protected
- CrowdStrike cloud security researchers discovered a new vulnerability (dubbed “cr8escape” and tracked as CVE-2022-0811) in the Kubernetes container engine CRI-O.
- CrowdStrike disclosed the vulnerability to Kubernetes, which worked with CRI-O to issue a patch that was released today.
- It is recommended that CRI-O users patch immediately.
- CrowdStrike customers are protected from this threat by the Falcon sensor for Linux or the Falcon Cloud Workload Protection module.
Summary
CrowdStrike’s Cloud Threat Research team discovered a new vulnerability (CVE-2022-0811) in CRI-O (a container runtime engine underpinning Kubernetes). Dubbed “cr8escape,” when invoked, an attacker could escape from a Kubernetes container and gain root access to the host and be able to move anywhere in the cluster. Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data and lateral movement across pods.
Attempted exploits of this vulnerability can be detected by the Falcon sensor for Linux or the Falcon Cloud Workload Protection module. CrowdStrike disclosed the vulnerability to Kubernetes, which worked with CRI-O to issue a patch that was released today. The CVE score is 8.8 (High) and the potential impact is widespread, as many software and platforms use CRI-O by default. It is recommended that CRI-O users patch immediately. CrowdStrike customers can use Falcon Spotlight™ vulnerability management to see which hosts are affected and patch where recommended to aid against exploitation.
Kubernetes uses a container runtime like CRI-O or Docker to safely share each node’s kernel and resources with the various containerized applications running on it. The Linux kernel accepts runtime parameters that control its behavior. Some parameters are namespaced and can therefore be set in a single container without impacting the system at large. Kubernetes and the container runtimes it drives allow pods to update these “safe” kernel settings while blocking access to others.
CrowdStrike’s Cloud Threat Research team discovered a flaw introduced in CRI-O version 1.19 that allows an attacker to bypass these safeguards and set arbitrary kernel parameters on the host. As a result of CVE-2022-0811, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the “kernel.core_pattern” parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.
Impact
Directly Affected Software
- CRI-O version 1.19+
To determine if a host is affected: run
crio —version
Indirectly Affected Software and Platforms
While the vulnerability is in CRI-O, software and platforms that depend on it are also likely to be vulnerable, including:
- OpenShift 4+
- Oracle Container Engine for Kubernetes
Detection
The CrowdStrike Falcon sensor included in the CrowdStrike Falcon Cloud Workload Protection module, which protects Kubernetes and containers, will detect attempts to exploit CVE-2022-0811 as privilege escalation. The Falcon sensor for Linux is able to see the pinns utility command execution and detect and prevent this behavior during runtime.
Source: CrowdStrike Blog
Fachartikel

LIVE WEBINAR: Verschlüsselter und einfacher Datentransfer per E-Mail oder Datenraum

Cybersecurity: Endlich Schluss mit dem Tool-Wahnsinn

SD-WAN: Warum DDI der Schlüssel zu effizientem Management ist

(Keine) Cyberrisiken (mehr) im erweiterten Zulieferer-Netzwerk

Wie Managed Service Provider (MSP) Daten vor Ransomware-Angriffen schützen sollten
Studien

Cybersicherheit: Unternehmen unterschätzen Risiken durch Partner und Lieferanten

IBM „Cost of a Data Breach“- Studie 2022: Verbraucher zahlen den Preis, da die Kosten für Datenschutzverletzungen ein Allzeithoch erreichen

Gestohlene Zugangsdaten sind im Dark Web günstiger als ein Döner

Jedes zweite Fertigungsunternehmen rechnet mit Zunahme von Cyberangriffen – bei weiterhin lückenhafter Cybersicherheit

Hybride Arbeitsmodelle: Firmware-Angriffe nehmen signifikant zu
Whitepaper

Trellix Threat Labs Report: ein Blick auf die russische Cyber-Kriminalität

Q1 2022 Lage der IT-Sicherheit: 57 % aller Sicherheitsvorfälle gehen auf bekannte Netzwerkschwachstellen zurück

Ransomware-Vorfälle nehmen weiter zu

DDOS-Angriffe in Deutschland sinken, aber neue fokussiere Angriffstechniken werden weiterentwickelt
