A very recent vulnerability called “cr8escape” has been discovered by CrowdStrike. This security vulnerability is essentially seen in CRI-O – a Kubernetes container engine. Seen as a critical vulnerability, CrowdStrike said “when invoked, an attacker could escape from a Kubernetes container and gain root access to the host and be able to move anywhere in the cluster”. This means that an attacker can easily bypass Kubernetes and execute malware, exfiltrate data or move laterally across pods. The CVE score shared by CrowdStrike is also very high – it stands at 8.8. For this, a patch has also been released.
Due to a code change in CRI-O version 1.19, CVE-2022-0811 or “cr8escape” can easily manipulate the kernel parameters, specifically “kernel.core_pattern”, to escape the container and get root access to the host. With this parameter, a core dump’s pattern name is set and when manipulated to a shell script which is malicious in nature, the vulnerability triggers the script to run and provide unauthorized access to remote code execution for getting unwarranted access to the node.
Thus, ensuring that the recommended patches are in place and remediation efforts are followed, organizations using Kubernetes’ container engine, CRI-O, can tackle this vulnerability effectively.