CVE-2022-27650: Crun and Moby (Docker Engine) Containers Start Incorrectly with Non-Empty Default Permissions – Exploit Details, Code Snippets & Official References
In the world of containerization, security is of utmost importance. With that said, it's crucial that security issues are identified and fixed in a timely fashion. CVE-2022-27650 is the identifier for two flaws found in crun and Moby (Docker Engine). These vulnerabilities stem from containers being started incorrectly with non-empty default permissions, which allows potential exploits.
In this post, we will discuss the details of these vulnerabilities, share code snippets to highlight the issue, and provide links to original references, ultimately helping you understand the implications of this flaw and take appropriate measures.
Crun Flaw Overview
Crun is a lightweight, fast, and secure container runtime. It's meant to be a drop-in alternative for runc. The flaw found in crun is that containers are being incorrectly started with non-empty default permissions.
Moby (Docker Engine) Flaw Overview
Moby is an open source framework that powers Docker Engine. Within Moby, the same vulnerability that affects crun has been found. Containers are started incorrectly with non-empty inheritable Linux process capabilities.
Exploit Details
An attacker with access to programs with inheritable file capabilities can exploit this flaw, ultimately able to elevate those capabilities to the permitted set when execve(2) is executed. This may lead to a container breakout and arbitrary code execution on the host.
Below is a code snippet demonstrating the issue
// Code snippet demonstrating incorrect container startup with non-empty default permissions
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/prctl.h>
#include <linux/capability.h>
void trigger_vulnerability() {
// Capabilities before execve
cap_t caps = cap_get_proc();
printf("Before execve: %s\n", cap_to_text(caps, NULL));
cap_free(caps);
// Execute vulnerable program with inheritable capabilities
char *argv[] = {"/path/to/vulnerable/program", NULL};
execve(argv[], argv, NULL);
perror("execve"); // Only reached if execve fails
}
int main() {
// Set inheritable capabilities
cap_t caps = cap_get_proc();
cap_set_flag(caps, CAP_INHERITABLE, <necessary_capabilities>, <capability_values>);
cap_set_proc(caps);
trigger_vulnerability();
return ;
}
Mitigation Suggestions
To mitigate these vulnerabilities, it's essential to ensure proper handling of Linux process capabilities during container initialization. Vendors are advised to apply available patches and updates to crun and Moby (Docker Engine) to prevent these vulnerabilities from being exploited.
To receive updated versions of crun, Moby (Docker Engine), and other container runtimes with the necessary patches, we recommend visiting the respective project's GitHub repositories:
- Crun: https://github.com/containers/crun
- Moby: https://github.com/moby/moby
Final users should ensure that they are using the latest, patched versions of these container runtimes while maintaining regular updates.
Conclusion
CVE-2022-27650 details the exploitability of a serious vulnerability found within crun and Moby (Docker Engine). With containers being started incorrectly with non-empty default permissions, attackers can potentially gain unauthorized access and capabilities. By understanding this vulnerability and ensuring that proper updates are applied, users can help maintain the security of their containerized environments.
Timeline
Published on: 04/04/2022 20:15:00 UTC
Last modified on: 04/13/2022 17:12:00 UTC