CVE-2022-0492 flaw in Linux Kernel cgroups feature allows container escape

A Linux kernel flaw, tracked as CVE-2022-0492, can allow an attacker to escape a container to execute arbitrary commands on the container host.

A now-patched high-severity Linux kernel vulnerability, tracked as CVE-2022-0492 (CVSS score: 7.0), can be exploited by an attacker to escape a container to execute arbitrary commands on the container host.

The issue is a privilege escalation flaw affecting the Linux kernel feature called control groups (groups), that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.

“A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.” reads the advisory published for this flaw.

Major Linux distros, including Suse, Ubuntu, and Redhat, also published their own advisories.

The flaw resides in the cgroups v1 release_agent functionality which is executed after the termination of any process in the group.

The root cause of the problem is the cgroups implementation in the Linux kernel that did not properly restrict access to the feature. A local attacker could exploit this vulnerability to gain administrative privileges.

The vulnerability was discovered by the security researchers Yiqi Sun and Kevin Wang.

“On Feb. 4, Linux announced CVE-2022-0492, a new privilege escalation vulnerability in the kernel. CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers.” reads the analysis published by Palo Alto Networks Unit 42 researcher Yuval Avrahami. “The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users.”

According to Palo Alto Networks, CVE-2022-0492 is caused by the lack of check that the process setting the release_agent file has administrative privileges (i.e. the CAP_SYS_ADMIN capability).

Attackers that can write to the release_agent file, can force the kernel into invoking a binary of their choosing with elevated privileges and take over the machine. Only processes with “root” privileges can write to the file.

“Because Linux sets the owner of the release_agent file to root, only root can write to it (or processes that can bypass file permission checks via the CAP_DAC_OVERRIDE capability). As such, the vulnerability only allows root processes to escalate privileges.” continues the analysis. “At first glance, a privilege escalation vulnerability that can only be exploited by the root user may seem bizarre. Running as root doesn’t necessarily mean full control over the machine: There’s a gray area between the root user and full privileges that includes capabilities, namespaces, and containers. In these scenarios where a root process doesn’t have full control over the machine, CVE-2022-0492 becomes a serious vulnerability.”

Users are recommended to apply the security fixes as soon as possible. Containers running AppArmor or SELinux security systems are not impacted.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SIM swapping)

[adrotate banner=”5″]

[adrotate banner=”13″]