A critical vulnerability (CVE-2022-0811) has been identified in CRI-O, a runtime for managing isolated containers, that allows you to bypass isolation and execute your code on the host system side. If CRI-O is used instead of containerd and Docker to run containers running under the Kubernetes platform, an attacker can gain control of any node in the Kubernetes cluster. To carry out an attack, you only have enough rights to run your container in the Kubernetes cluster.
The vulnerability is caused by the possibility of changing the kernel sysctl parameter “kernel.core_pattern” (“/proc/sys/kernel/core_pattern”), access to which was not blocked, despite the fact that it is not among the parameters safe to change, valid only in namespace of the current container. Using this parameter, a user from a container can change the behavior of the Linux kernel with regard to processing core files on the side of the host environment and organize the launch of an arbitrary command with root rights on the host side by specifying a handler like “|/bin/sh -c 'commands'” .
The problem has been present since the release of CRI-O 1.19.0 and was fixed in updates 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2 and 1.24.0. Among the distributions, the problem appears in the Red Hat OpenShift Container Platform and openSUSE/SUSE products, which have the cri-o package in their repositories.
Source: opennet.ru