New Linux Kernel cgroups Vulnerability Could Let Attackers Escape Container

Details have emerged about a now-patched high-severity vulnerability in the Linux kernel that could potentially be abused to escape a container in order to execute arbitrary commands on the container host.

The shortcoming resides in a Linux kernel feature called control groups, also referred to as cgroups version 1 (v1), which allows processes to be organized into hierarchical groups, thereby making it possible to limit and monitor the usage of resources such as CPU, memory, disk I/O, and network.

Tracked as CVE-2022-0492 (CVSS score: 7.0), the issue concerns a case of privilege escalation in the cgroups v1 release_agent functionality, a script that’s executed following the termination of any process in the cgroup.

“The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users,” Unit 42 researcher Yuval Avrahami said in a report published this week.

The man page for cgroups explains its function as follows –

Whether or not the release_agent program is invoked when a particular cgroup becomes empty is determined by the value in the notify_on_release file in the corresponding cgroup directory. If this file contains the value 0, then the release_agent program is not invoked. If it contains the value 1, the release_agent program is invoked. The default value for this file in the root cgroup is 0.

Specifically, the Palo Alto Networks threat intelligence team noted that the bug is a consequence of a missing verification to check whether the process setting the release_agent file had administrative privileges, thereby making it ripe for potential exploitation. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *