Linux Kernel Bug Allows Kubernetes Container Escape

Hackers could exploit a Linux kernel bug to escape Kubernetes containers and access critical resources; however, the threat is minimized as any attacker needs to have the specific Linux capability CAP_SYS_ADMIN.

The high-severity Common Vulnerabilities and Exposures (CVE) 2022-0185, first reported by security publication BleepingComputer, affects all Linux kernel versions from 5.1-rc1 to the latest releases (5.4.173, 5.10.93, 5.15.1).

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

The public exploit code for the issue is expected to be released soon by Crusaders of Rust (CoR), the team which discovered the vulnerability, meaning all systems at risk from this issue should apply the patch as soon as possible.

A container breakout is a privilege escalation attack that leverages flaws in a containerized environment to gain access to its hosting environment.

Containers are intended to keep the application living inside it isolated, both from other applications on the host system and to protect the host from application misbehavior or compromise. Escaping the container breaks that model and enables access to other parts of the system.

Brendan Creane, head of engineering at Tigera, a provider of security and observability for containers, Kubernetes and cloud, says this is a serious issue, as the entire concept of a containerized environment is to allow potentially untrusted data to be processed and any potential exploits (denial of service, arbitrary code execution, etc.) be limited to within the container.

“Having a container breakout breaks that concept, which means an attacker can escape the containerized environment and gain access to the host,” he says. “This can potentially allow the attacker to access other containers or access sensitive data on the host.”

Breaking Out

If a malicious actor can escape the container and access the underlying host, they can use that as a launching point to search for additional vulnerabilities in the overall cluster.

“That’s why container isolation, or the guarantee that a compromised container can’t access other resources on the host or in the cluster, is an essential part of the contract for securing Kubernetes,” Creane says.

In addition to the scenario above, Creane explains that managed Kubernetes providers rely on container isolation to enforce separation of concerns within a host that’s potentially shared by multiple customers.

“In other words, if Client A can escape their container and access the host, they can potentially compromise services running on that particular host that are owned by Client B,” he says. “Since the security boundary between the container and host is lost, the attacker no longer needs to care if the workload they have compromised is containerized or not.”

Limits to Container Security

Casey Bisson, head of product growth at BluBracket, a provider of code security solutions, pointed out container security has been improving, but many of the benefits of containers come from the very flexibility that limits the security they provide.

He notes that containers continue to lag behind virtual machines (VMs) in securely isolating workloads from each other on the same hardware.

Bisson says operators and AppSec teams will need to evaluate and balance risks against infrastructure costs for their applications.

“It might work well and provide efficiencies to run containers from the same team or group of teams on the same cluster, but many people are likely to continue to isolate workloads onto separate clusters or use placement rules to separate containers from different teams on different VMs,” he says.

Bisson says the day may come where container security matches that of VMs, but adds that VMs have had security flaws too, and even isolating workloads on different hosts has never really been enough to keep hackers at bay.

From his perspective, comprehensive security goes beyond the runtime environment to include supply chain protections, dynamic and static code analysis, efforts to securely manage secrets and more.

“We see that code is now the largest and least-protected threat vector,” he says. “Attackers are targeting upstream components that are unguarded so they can then infiltrate those who use the components. Kubernetes, unfortunately, is a perfect target because of its widespread use. Luckily, the community has even more focus on security in Kubernetes so the capabilities will continue to develop.”

Mike Parkin, engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, says that while security vulnerabilities are discovered every day, it’s hard to predict which specific ones will become weaponized by threat actors and used in the wild.

“That’s why patching security vulnerabilities—whether in standard systems or containerized environments—is so important,” he says. “You must assume the worst and keep your systems up-to-date.”

Parkin explains that with container environments, attackers get a choice: Compromise the application itself and use that for their end goal or go after the host system the container is running on and expand from there.

“Those aren’t mutually exclusive targets, either,” he adds. “Defenders need to consider the security of both the applications and the virtualization platform itself. Those aren’t mutually exclusive defenses, but they do require a different focus and a different set of skills.”