Last Updated on 05/03/2022 by Nidhi Khandelwal
Details concerning a now-patched high-severity vulnerability in the Linux kernel that could be exploited to escape a container and execute arbitrary instructions on the container host have surfaced.
The flaw is due to a Linux kernel feature known as control groups, also known as cgroups version 1 (v1), which allows programmes to be arranged into hierarchical groups, effectively allowing users to regulate and monitor resource utilization such as CPU, memory, disc I/O, and network.
The vulnerability is identified as CVE-2022-0492 (CVSS score: 7.0), and it involves a case of privilege escalation in the cgroups v1 release agent feature, which is a script that is executed after any process in the cgroup is terminated.
In a paper released this week, Unit 42 researcher Yuval Avrahami said, “The issue stands out as one of the simplest Linux privilege escalations reported in recent times: the Linux kernel accidentally exposed a privileged function to unprivileged users.”
The value in the notify on release file in the relevant cgroup directory determines whether or not the release agent programme is called when a certain cgroup becomes empty. The release agent programme is not run if this file contains the value 0. If the value 1 is present, the release agent programme is run. In the root cgroup, the default value for this file is 0.
To put it another way, if an attacker overwrites the release agent file, the kernel will be compelled to call an arbitrary programme set in the release agent with the highest possible permissions, thereby allowing a complete takeover of the machine.
It’s worth noting, however, that only processes with “root” rights can write to the file, implying that the flaw only allows root processes to raise their privileges.