C-0086 - CVE-2022-0492-cgroups-container-escape

Framework

ArmoBest, AllControls

Severity

Medium

Description of the the issue

Linux Kernel vulnerability CVE-2022-0492 may allow malicious code running inside container to escape container isolation and gain root privileges on the entire node. In order to exploit this vulnerability, malicious code should run as root in the container or have CAP_DAC_OVERRIDE capability. If SELinux or AppArmor is deployed, this CVE becomes not exploitable. Also, the exploit is possible when container runtime uses cgroup version 1 implementation (which we assume is on by default, since it is not visible from the Kubernetes level). When fixed Kernel version numbers will become available, this control will be modified to verify them and avoid false positive detections. Note, it is enough to have a single node in the cluster with vulnerable Kernel in order to damage the system. This control identifies all the resources that don't deploy niether AppArmor nor SELinux, run as root or allow privileged escalation or have corresponding dangerous capabilities.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

This control checks whether the container is running with high privileges (root or CAP_DAC_OVERRIDE capability) and doesn't have SELinux or AppArmor enabled. In case where the container is running with CAP_DAC_OVERRIDE capability, we also check for Seccomp, as it's enough to prevent the exploitation in this case.

Remediation

Activate AppArmor or SELinux. Follow the least privilege principle and remove root privileges or privilege escalation option and CAP_DAC_OVERRIDE capability. Make sure you don't allow container images from potentially dangerous sources and that containers that must have high privileges are taken from protected repositories.

Example