CVE-2022-0185

[Justin Hopper]

Hello,

We are running Flatcar in Azure for a Kubernetes installation.

Regarding this CVE, we wanted to confirm that this CVE was addressed in the Stable 3033.2.1 release.  Using this image in a test Kubernetes cluster, we attempted to run the same "unshare -r" scenario that many people were using as a way to check if this CVE was exploitable (for exaimple: https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes).  But we see no change in the behavior in the latest Flatcar stable, capabilities are still reported as "full" after the unshare:

  nodeInfo:
    architecture: amd64
    bootID: <snip>
    containerRuntimeVersion: containerd://1.5.7
    kernelVersion: 5.10.93-flatcar
    kubeProxyVersion: v1.20.11
    kubeletVersion: v1.20.11
    machineID: fa33a5f155fa43de933e4074087128dd
    operatingSystem: linux
    osImage: <snip>
    systemUUID: <snip>

% k exec -ti ubutest2 -- /bin/bash                    
root@ubutest2:/# which pscap
/usr/bin/pscap
root@ubutest2:/# pscap -a
ppid  pid   name        command           capabilities
0     1     root        bash              chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap
0     290   root        bash              chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap
root@ubutest2:/# unshare -r
# id
uid=0(root) gid=0(root) groups=0(root)
# pscap -a
ppid  pid   name        command           capabilities
0     1     root        bash              chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap
0     290   root        bash              chown, dac_override, fowner, fsetid, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, audit_write, setfcap
290   301   root        sh                full
#

(For clarity, this is an ubuntu container that I've installed pscap into already)

Am I not understanding the process here, or is the above test not valid for proving the vulnerability is there and exploitable?  My goal is to just make sure that this CVE is addressed for 3033.2.1

Thanks,

Justin

[Kai Lüke]

Hi,

the vulnerability was about the mount operation being exploitable, not
that it is available by accident (e.g., in your case through a user
namespace).
To summarize, CVE-2022-0185 got fixed and you find it in the security
section of the release notes:
https://www.flatcar.org/releases/#release-3033.2.1

Regards,
Kai

> --
> You received this message because you are subscribed to the Google Groups "Flatcar Container Linux User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to flatcar-linux-u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/flatcar-linux-user/CA%2B1gPOYBmbX%2BANkoEhTbBWcUraAgZhTBoy-0LuvHsQg%2BMqqMGA%40mail.gmail.com.



--
Kinvolk GmbH | Adalbertstr.6a, 10999 Berlin | tel: +491755589364

Geschäftsführer/Directors: Benjamin Owen Orndorff

Registergericht/Court of registration: Amtsgericht Charlottenburg

Registernummer/Registration number: HRB 171414 B

Ust-ID-Nummer/VAT ID number: DE302207000