New Rule Detect Linux Cgroup Container Escape Vulnerability (CVE-2022-0492) #1969
Conversation
darryk10
changed the title
rules/falco_rules.yaml
Outdated
| - rule: Linux Cgroup Container Escape Vulnerability (CVE-2022-0492) | ||
| desc: "Detect an attempt to exploit a container escape vulnerability in the Linux Kernel (CVE-2022-0492). By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container" | ||
| condition: | ||
| open_write and fd.name endswith release_agent and (user.uid=0 or thread.cap_permitted contains CAP_DAC_OVERRIDE) and excessively_capable_container |
There was a problem hiding this comment.
is this excessively_capable_container macro defined somewhere?
There was a problem hiding this comment.
the macro is introduced in this PR https://github.com/falcosecurity/falco/pull/1963/files done by @loresuso
There was a problem hiding this comment.
Then what non-default capabilities are needed for the exploit?
|
The prerequisite make it hard to exploit: |
|
Thanks @Kaizhe for the review :) |
|
/milestone 0.32.0 |
|
@Kaizhe Looking at other techniques where release_agent file is involved. I figured out the same rule is effective for all the techniques which involve release_agent file (included the CVE-2022-0492). So I redesigned the rule to be generic on the release_agent file. Hope it's better now :) Thanks again |
|
LGTM label has been added. Git tree hash: 0df959df0be336a07ffa70df7fd2b2e76a94f3a8
|
leogr
changed the title
|
Closing and reopening to trigger the CI |
|
@leogr: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@leogr: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
I think that tests are failing because the driver version used by this PR is still caa0e4d0044fdaaebab086592a97f0c7f32aeaa9. IIRC, thread.cap_effective was introduced later.
If so, rebasing this PR on top of the current master branch should solve the issue.
@darryk10 could you rebase this PR, please?
Signed-off-by: darryk10 <[email protected]> Co-authored-by: Lorenzo Susini <[email protected]>
Signed-off-by: darryk10 <[email protected]> Co-authored-by: Lorenzo Susini <[email protected]>
Signed-off-by: darryk10 <[email protected]> Co-authored-by: Lorenzo Susini <[email protected]>
Signed-off-by: darryk10 <[email protected]> Co-authored-by: Lorenzo Susini <[email protected]>
darryk10
force-pushed
the
new_rule_cve_2022_4092
branch
from
bda5e90 to
91ac709
Compare
|
LGTM label has been added. Git tree hash: 3fec78695d250747677d1877c4d6fd4af9ece392
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: darryk10, jasondellaluce, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR add a new rule to detect container escapes techniques (also used CVE-2022-0492 Linux Cgroup Container Escape Vulnerability) using new field available thread.cap_effective to check capabilities in the container which is part of the requirement for the exploitation.
Reference:
https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
Signed-off-by: darryk10 [email protected]
Co-authored-by: Lorenzo Susini [email protected]
What type of PR is this?
/kind rule-create
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
This PR add a new rule to detect container escapes techniques (also used CVE-2022-0492 Linux Cgroup Container Escape Vulnerability)
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: