Kubernetes Vulnerability Description CVE-2022-23648 | crowdstrike

Kubernetes Vulnerability Description CVE-2022-23648 |  crowdstrike

CVE-2022-23648reported by google zero project as of November 2021, is a Kubernetes runtime vulnerability found in Container, a popular Kubernetes runtime. It is found in the Containerd CRI plugin which handles OCI image specs that contain “Volumes”. The attacker can add a volume containing the path path to the image and use it to copy arbitrary files from the host to the container-mounted path.

The vulnerability was reported by Felix William on November 22, 2021, and a patch was released with Containerd versions 1.6.1, 1.5.1, and 1.4.13 on March 2, 2022.

Technical analysis

Let’s take a closer look at how the vulnerability resides in an unexpected layer of the container ecosystem and can lead to container leaks in your Kubernetes cluster.

Description of OCI Image Specifications

There are two specifications for a container image defined by the Open Container Initiative (OCI). These standards were first made available by Docker and later developed by the community.

  1. image specifications (image specifications). This specification defines how a container image and various image components, primarily the image’s manifest, index, and layout, should be packaged. This is where the image file system blob resides.
  2. Runtime specifications (runtime specifications). This is the configuration required to run the image as a container.

When a runtime like Containerd needs to start a container with an image, converts the image config blob given to a runtime config blob. Here the Containerd CRI plugin is unable to validate the paths in the Config.Volumes field before being used in the runtime field mounts. Containerd also copies the data to those mount roads. It is possible to look at Config.Volume OCI config blob field with tools like buildas shown below in Figure 1, in addition to the image creation steps.

Figure 1. Create vulnerable image

Containerd volume handling

The vulnerability resides in the following Containerd code, as shown in Figure 2 below, where an attacker-controlled volume path is used as the source in the copyExistingContents function. This function copies files from the attacker controlled volume path to a temporary folder which is then mounted inside a container. At this point, an attacker only needs to use route traversal to fool the attacker. copyExistingContents function to copy arbitrary files from the host file system.

The following is the simple attacker pod using our proof-of-concept image shown in Figure 1. Once this pod is created in the cluster, you can see that the files from the host are copied to the host’s file system. container in a mounted path, as shown in figures 3 and 4.

In this attack, without the use of real Kubernetes volumesAn attacker with pod creation privileges on the cluster can read arbitrary files from the Kubernetes node, resulting in a container leak.

Figure 3. Attacker Capsule

Figure 4. Host files copied to the container file system


CrowdStrike recommends updating to the latest version of Containerd to mitigate this issue. A patch it was released with versions 1.6.1, 1.5.1 and 1.4.13 of Containerd.

In case it is not possible to apply patches, CrowdStrike Falcon® The platform’s image scan protects clients from this vulnerability by identifying image blob configuration with path traversal in a volume path, as shown in Figure 5. Clients can also prevent images from being deployed. malicious in the cluster.

CrowdStrike® Falcon Horizon™ cloud security posture management (CSPM) implements CIS benchmarks to identify any indicators of misconfiguration (IOM) in your clusters and discover a weakness in the cloud environment. At the same time, CrowdStrike Falcon Cloud Workload Protection (CWP) prevents and detects malicious activity, including by eCrime and nation-state adversaries, in real time.

Figure 5. CrowdStrike Falcon Detects Traverse Path in Image Blob Volume Configuration


Kubernetes is made up of a number of software layers, and an attacker can use any misconfiguration or security issue in any layer to gain the necessary privileges and take over the cluster. As discussed, CVE-2022-23648 is one more example of the ongoing weakness in the container runtime used for Kubernetes container escaping. DevOps professionals should be aware of these issues and keep the environment up to date when patches become available.

Securing containers does not have to be an overly complex task. With the Falcon platform, you can easily identify security issues in your environment in real time. You can use the built-in Kubernetes features and implement best practices to keep your container environment secure. To enhance security, you can use built-in container security products such as CrowdStrike Falcon Cloud Workload Protection, which can seamlessly protect your Kubernetes environment.

CrowdStrike strives to support organizations that enable their users to stay ahead of the curve and remain fully protected from adversaries and breaches.

Additional Resources

Leave a Comment