Notice on the containerd Process Privilege Escalation Vulnerability (CVE-2022-24769)

Description

A security vulnerability has been disclosed in the containerd open source community. When non-root containers were started incorrectly with non-empty inheritable capabilities, attacker may gain access to programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve. This vulnerability has been assigned CVE-2022-24769.

Impact

When a container is created using containerd, Linux process capabilities are included in the inheritable set by default. As a result, when execve() runs in a process in the container by a non-root user, the intersection of the process inheritable capabilities and the file inheritable capabilities is added to the permitted set of the process after execution, causing unexpected privilege escalation. It should be noted that the privilege escalation does not break through the process permission before execve, but only inherits the previous capabilities.

Clusters that use the following containerd versions are affected:

1. CCE Turbo clusters that use the containerd of a version earlier than 1.4.1-98 as the Kubernetes CRI runtime

2. CCE clusters that use the containerd of a version earlier than 1.5.11

Identification Method

View the containerd version by running the containerd --version command on a worker node as the root user.

Log in to the new CCE console to view the runtime version on the Nodes page.

Solution

The entry point of a container can be modified to use the capsh utility to remove inheritable capabilities.

Helpful Links

Community announcement: https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c