Unit 42 researcher Yuval Avrahami wrote in a reported that ,” The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: the Linux kernel accidentally exposed a privileged operation to unprivileged users. On February 4, Linux announced CVE-2022-0492, a new kernel privilege escalation vulnerability. CVE-2022-0492 identifies a logical flaw in control groups (cgroups), a Linux feature that is a key component of container architecture.”
The flaw is in a Linux kernel feature known as control groups, also known as cgroups version 1 (v1), which allows processes to be organised into hierarchical groups, effectively allowing for the limitation and monitoring of resources such as CPU, memory, disc I/O and network.
According to the Palo Alto Networks threat intelligence team, is the result of a missing verification to check whether the process setting the release agent file had administrative privileges, making it vulnerable to exploitation. Although containers running with AppArmor or SELinux are immune to the flaw, users are advised to apply the patches because it could be exploited by other malicious host processes to elevate privileges.
The cgroups man page explains its function as follows –
The value in the notify on release file in the corresponding cgroup directory determines whether or not the release agent programme is invoked when a specific cgroup becomes empty. If this file has the value 0, the release agent programme is not run. If the value is 1, the release agent programme is executed. In the root cgroup, the default value for this file is 0.
If an attacker overwrites this release agent file, the kernel can be forced to call an arbitrary binary configured in the release agent with the highest possible permissions – a scenario that could effectively allow a complete machine takeover.
Then, in November 2021, cloud security firm Aqua revealed details of a cryptocurrency mining campaign that used the same container escape technique to drop the XMRig coin miner on infected hosts, marking the first recorded instance of real-world exploitation.
Finally the researchers concluded that ,” Another Linux vulnerability that can be exploited for container escape is CVE-2022-0492. Fortunately, environments that adhere to best practises are immune to this vulnerability. Unsurprisingly, environments with lax security controls that host untrusted or publicly exposed containers are at high risk. It is always preferable to upgrade your hosts to a fixed kernel version.“