Attackers Escape Kubernetes Containers using “cr8escape” Vulnerability in CRI-O

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. A flaw in CRI-O, an open-source Linux implementation of Kubernetes' Container Runtime Interface (CRI), was discovered that may allow an attacker to gain remote control of servers and potentially poison the container with attack code. The "cr8escape" vulnerability (CVE-2022-0811) allows an attacker to circumvent the host's defenses and set arbitrary kernel parameters. As a result, attackers with permissions to deploy a pod on a Kubernetes cluster using the CRI-O runtime can exploit the "kernel.core_pattern" parameter to accomplish container escape and run arbitrary code as root on any node in the cluster. This allows an attacker to carry out a range of operations on targets, including malware execution, data exfiltration, and lateral movement across pods. The vulnerability has been patched in CRI-O versions 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, 1.24.0. Potential MITRE ATT&CK TTPs are:TA0042: Resource DevelopmentT1588: Obtain CapabilitiesT1588.006: Obtain Capabilities: VulnerabilitiesTA0002: ExecutionT1059: Command and Scripting InterpreterTA0007: DiscoveryT1613: Container and Resource DiscoveryTA0003: PersistenceTA0001: Initial AccessT1133: External Remote Services Vulnerability Details Patch Link https://github.com/cri-o/cri-o/releases References https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/