Details of a serious vulnerability in the Linux kernel have surfaced which has already been patched and could potentially be used to exit a container in order to execute arbitrary commands on the container host.
Vulnerability CVE-2022-0492 was found in the cgroups Linux kernel function, which allows organizing and forming hierarchical groups of processes with specified resource properties and provides programmatic control over them.
The vulnerability was discovered in cgroup_release_agent_write of the Linux kernel in the kernel/cgroup/cgroup-v1.c function. Under certain circumstances, an attacker can use the cgroups v1 release_agent function to escalate privileges and bypass namespace isolation.
“This is one of the simplest Linux privilege escalations discovered in recent times: the Linux kernel mistakenly granted a privileged operation to unprivileged users,” Unit 42 researcher Yuval Avraami said in a report published this week.
However, it is worth noting that only processes with "root" privileges can write to the file, which means that the vulnerability allows only root processes to elevate privileges.
“At first glance, a privilege escalation vulnerability that can only be exploited by the root user may seem strange,” Avraami explained. “Running as root does not necessarily mean full control of the machine: there is a gray area between root and full privileges, including capabilities, namespaces, and containers. In these scenarios, when the root process does not have full control over the machine, CVE-2022-0492 becomes a serious vulnerability."
Although containers running with AppArmor or SELinux are not vulnerable to the flaw, users are recommended to apply the patches because they could be abused by other malicious host processes to elevate privileges.