Incorrect permission assignment for critical resource in CRI-O

#VU68299 Incorrect permission assignment for critical resource in CRI-O

Published: 2022-10-13

Vulnerability identifier: #VU68299

Vulnerability risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0532

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CRI-O
Web applications / Modules and components for CMS

Vendor: CRI-O

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect sysctls validation in CRI-O. The sysctls from the list of "safe" sysctls specified for the cluster will be applied to the host if an attacker is able to create a pod with a hostIPC and hostNetwork kernel namespace.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

CRI-O: 1.21.0 - 1.21.2

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2051730

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Incorrect permission assignment for critical resource in Red Hat OpenShift on IBM Cloud

Multiple vulnerabilities in OpenShift Container Platform 4.12

Security restrictions bypass in Red Hat OpenShift Container Platform 4.8

Security restrictions bypass in OpenShift Container Platform 4.9

Security restrictions bypass in CRI-O