Attackers Escape Kubernetes Containers using “cr8escape” Vulnerability in CRI-O

Threat Level – Amber | Vulnerability Report
Download PDF

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

A flaw in CRI-O, an open-source Linux implementation of Kubernetes’ Container Runtime Interface (CRI), was discovered that may allow an attacker to gain remote control of servers and potentially poison the container with attack code.

The “cr8escape” vulnerability (CVE-2022-0811) allows an attacker to circumvent the host’s defenses and set arbitrary kernel parameters. As a result, attackers with permissions to deploy a pod on a Kubernetes cluster using the CRI-O runtime can exploit the “kernel.core_pattern” parameter to accomplish container escape and run arbitrary code as root on any node in the cluster. This allows an attacker to carry out a range of operations on targets, including malware execution, data exfiltration, and lateral movement across pods.

The vulnerability has been patched in CRI-O versions 1.19.6, 1.20.7, 1.21.6, 1.22.3, 1.23.2, 1.24.0.

Potential MITRE ATT&CK TTPs are:TA0042: Resource DevelopmentT1588: Obtain CapabilitiesT1588.006: Obtain Capabilities: VulnerabilitiesTA0002: ExecutionT1059: Command and Scripting InterpreterTA0007: DiscoveryT1613: Container and Resource DiscoveryTA0003: PersistenceTA0001: Initial AccessT1133: External Remote Services

Vulnerability Details

Patch Link

https://github.com/cri-o/cri-o/releases

References

https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox

Cyber Horizons 2025

What Last Year’s Attacks Reveal About Today’s Risks

Watch the Webinar on-demand and get a FREE copy of our Cyber Horizons 2025 report.

Our Speakers
Speaker 1

Prateek Bhajanka Global Field CISO & Former Gartner Analyst Hive Pro Inc.

Speaker 2

Ankit Mani Manager Threat Intel HiveForce Labs

Speaker 3

Sreevani Tonipe Senior Threat Researcher HiveForce Labs