A local privilege escalation vulnerability (CVE-2021-22555) was recently discovered in the Linux Netfilter module. This vulnerability was exploited in kCTF to attack Kubernetes pod containers to achieve container escape. CVE-2021-22555 poses high risks. We recommend that you detect and fix it as soon as possible.
Detected vulnerability
CVE ID: CVE-2021-22555
Severity: High
Affected versions: Linux kernel versions
2.6.19(9fa492cdc160cd27ce1046cb36f47d3b2b1efa21)and laterAffected ECS images include:
Alibaba Cloud Linux 2/3
CentOS 7/8
RedHat 7/8
Ubuntu 14/16/18/20
Debian 8/9/10
SUSE Linux Enterprise Server 12/15
OpenSUSE 42.3/15
Details
The Linux Netfilter module has a heap out-of-bounds write vulnerability in how it handles the IPT_SO_SET_REPLACE (or IP6T_SO_SET_REPLACE) setsockopt option. This flaw allows a local user to escalate privileges through a user namespace. The vulnerability was exploited in kCTF to achieve container escape from Kubernetes pods and has been in the Linux kernel code for 15 years.
Security suggestions
If your ECS instance runs Alibaba Cloud Linux 2, see Kernel hot patch solution for the CVE-2021-22555 security vulnerability in Alibaba Cloud Linux 2.
For other OS distributions, upgrade the Linux kernel to a patched version listed below.
5.12(b29c457a6511435960115c0f548c4360d5f4801d)5.10.315.4.1134.19.1884.14.2314.9.2674.4.267
Temporary mitigation provided by Red Hat:
To mitigate this vulnerability, run the following command to prevent unprivileged users from using CLONE_NEWUSER and CLONE_NEWNET.
echo 0 > /proc/sys/user/max_user_namespacesReferences
Announcing party
Alibaba Cloud Computing Co., Ltd.