Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
The team at CrowdStrike’s Cloud Threat Research recently discovered a new vulnerability in CRI-O, a lightweight container runtime interface for Kubernetes. The vulnerability, dubbed “cr8escape” and tracked as CVE-2022-0811, could allow an attacker to escape from a Kubernetes container, gain root access to the host, and move anywhere in the cluster.
The Magalix Policy Team, now the Weave Policy, created a policy to prevent any exploitation of this vulnerability. In this article, we will explain what the vulnerability is and how policy as code can be used circumvent a possible attack.
A zero-day vulnerability, Cr8escape has a CVSS score of 8.8 out of 10 and can allow arbitrary code to be executed, even on systems that do not run Kubernetes.
The security defect allows Kubernetes, more specifically the kubelet, to run containers on a host with a single interface. Anyone who can create a pod (even the underprivileged) can circumvent the underlying host.
"Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including the execution of malware, exfiltration of data, and lateral movement across pods,"
CrowdStrike researchers John Walker and Manoj Ahuje said in an analysis published this week.
CrowdStrike researchers said, “As a result of CVE-2022-0811, anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime can abuse the ‘kernel.core_pattern’ parameter to achieve container escape and arbitrary code execution as root on any node in the cluster.”
To determine if your host is affected:
run crio —version .
Kubernetes fully supports CRI-O, though the open-source interface isn’t used in popular managed Kubernetes services such as AWS EKS, Azure AKS, or GCP GKE. The vulnerability indirectly affects software and platforms that depend on and use it, including:
A successful exploit or elevation-of-privilege flaw would allow the attacker to get control over servers. That sort of attack can spiral to become a supply chain attack, compromising a developer’s environment and push malware code to end-users via software updates.
The infamous SolarWinds attack in 2021 is a typical example of how this security flaw can be abused. Russian sponsored hackers compromised the software update pipeline of the IT management software make and pushed malware onto thousands of customer servers and administrator systems.
Some of the affected organizations included U.S government agencies, such as the Department of Justice and Homeland Security, and technology companies such as FireEye and Microsoft.
As mentioned by CrowdStrike's team, the lack of sufficient validation on Pod sysctl parameters allows an attacker to abuse custom parameters in a deployed K8s Pod. In this way, the attacker can escape from the container and execute code on K8s cluster nodes.
With policy as code, we have 2 approaches to mitigate this vulnerability:
Blocking any Pod with sysctl parameters from being deployed.
Blocking any Pod that contains sysctl settings with “+” and “=” in their value.
The second approach can be used if our clusters have some Pods with custom sysctl settings, so we'll just validate these settings to ensure they don't have "+" and "=" which can be exploited to escape from containers.
The first approach is easy to implement. All we need is to deploy a new Weave Policy CRD to the cluster to add the blocking functionality at the admission controller level.
To implement the second approach we'll just change the violation rule in Rego code to check for "+" and "=" in the sysctl parameters instead of just checking whether they exist or not. This approach is for use cases where sysctl parameters are required, but prevention of the exploit is still necessary.
Security vulnerabilities such as CVE-2022-0811 are some of the few recently discovered flaws that can impact the entire Kubernetes infrastructure. Previous vulnerabilities included Log4j, CVE-2021-25742, CVE-2022-0185, and many others. With the complexity of cloud-natives systems, it’s imperative to install preventative measures and to continuously monitor for any security and compliance violations.
Organizations can do so with Trusted Application Delivery: policy-based governance using policy as code. Weave GitOps Enterprise enables organizations to speed up their development process with security and compliance taken into account. To learn more about Trusted Delivery and how it can benefit your organization, Request a Demo now.
Self-service developer platform is all about creating a frictionless development process, boosting developer velocity, and increasing developer autonomy. Learn more about self-service platforms and why it’s important.
More and more businesses are adopting GitOps. Learn about the 5 reasons why GitOps is important for businesses.