Notice on the containerd Process Privilege Escalation Vulnerability (CVE-2022-24769)
Description
A security vulnerability has been disclosed in the containerd open source community. When non-root containers were started incorrectly with non-empty inheritable capabilities, attacker may gain access to programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve. This vulnerability has been assigned CVE-2022-24769.
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Privilege escalation |
CVE-2022-24769 |
Low |
2022-03-24 |
Impact
When a container is created using containerd, Linux process capabilities are included in the inheritable set by default. As a result, when execve() runs in a process in the container by a non-root user, the intersection of the process inheritable capabilities and the file inheritable capabilities is added to the permitted set of the process after execution, causing unexpected privilege escalation. It should be noted that the privilege escalation does not break through the process permission before execve, but only inherits the previous capabilities.
Clusters that use the following containerd versions are affected:
1. CCE Turbo clusters that use the containerd of a version earlier than 1.4.1-98 as the Kubernetes CRI runtime
2. CCE clusters that use the containerd of a version earlier than 1.5.11
Identification Method
View the containerd version by running the containerd --version command on a worker node as the root user.
Solution
The entry point of a container can be modified to use the capsh utility to remove inheritable capabilities.
Helpful Links
Community announcement: https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.