CRI-O container engine bug allows Kubernetes container escape

Kubernetes users running the CRI-O container engine need to patch against a newly-discovered container escape vulnerability.

Discovered by Crowdstrike and subbed “cr8escape”, the CRI-O bug (CVE-2022-0811) allows a malicious actor to power up a container on shared infrastructure, and from their container launch attacks against other containers, including malicious code execution, data exfiltration, and lateral movement across pods.

As noted in the Crowdstrike advisory, the attack vector is via abusing the kernel.core_pattern kernel parameter to escape their container.

The advisory cited OpenShift 4 and the Oracle Container Engine for Kubernetes as platforms that may be affected by the CRI-O bug, and there are others. A complete list of CRI-O adopters is here.

The flaw was introduced in Version 1.19 of CRI-O, and is patched in versions 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, 1.24.0. Patched versions are here.

Crowdstrike adds that the pinns_path configuration parameter can be set “to point to a pinns wrapper that strips the ‘-s’ option”, preventing pods from updating any kernel parameters.

Finally, Crowdstrike’s researchers note: “Kubernetes is not necessary to invoke CVE-2022-8011. An attacker on a machine with CRI-O installed can use it to set kernel parameters all by itself”.