New Linux Kernel cgroups Vulnerability Could Let Attackers Escape Container

[silversurfer]

Content source

https://thehackernews.com/2022/03/new-linux-kernel-cgroups-vulnerability.html

Details have emerged about a now-patched high-severity vulnerability in the Linux kernel that could potentially be abused to escape a container in order to execute arbitrary commands on the container host.

The shortcoming resides in a Linux kernel feature called control groups, also referred to as cgroups version 1 (v1), which allows processes to be organized into hierarchical groups, thereby making it possible to limit and monitor the usage of resources such as CPU, memory, disk I/O, and network.

Tracked as CVE-2022-0492 (CVSS score: 7.0), the issue concerns a case of privilege escalation in the cgroups v1 release_agent functionality, a script that's executed following the termination of any process in the cgroup.

"The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users," Unit 42 researcher Yuval Avrahami said in a report published this week.

New Linux Kernel cgroups Vulnerability Could Let Attackers Escape Container

A new vulnerability in the Linux kernel's control groups feature could let attackers to escape a container to execute arbitrary commands on the host.

thehackernews.com