CVE-2022-23648
Insecure Handling vulnerability in containerd (Go)
What is CVE-2022-23648 About?
This vulnerability involves the containerd CRI plugin's insecure handling of image volumes, leading to potential privilege escalation or container escape. Attackers can leverage this flaw by crafting malicious image configurations. Exploitation is moderately complex, requiring knowledge of container internals.
Affected Software
- github.com/containerd/containerd
- >1.6.0, <1.6.1
- >1.5.0, <1.5.10
- <1.4.13
Technical Details
The containerd CRI plugin insecurely handles image volumes. This means that when a container image is instantiated, the volume configurations, particularly how they are mounted or linked within the container's filesystem, are not adequately sanitized or validated. An attacker can craft a malicious image with specifically configured volumes that, when processed by the CRI plugin, could allow for arbitrary file system access outside the container's intended boundaries, privilege escalation within the host, or container escape by manipulating mount points or symbolic links.
What is the Impact of CVE-2022-23648?
Successful exploitation may allow attackers to gain unauthorized access to host file systems, escalate privileges within the container environment, execute arbitrary code on the host, or achieve container escape.
What is the Exploitability of CVE-2022-23648?
Exploitation of this vulnerability requires the ability to create and deploy malicious container images. The complexity is moderate, as it involves crafting specific volume configurations within an image. Authentication requirements depend on the container orchestration platform; if an attacker can push images to a registry used by the vulnerable containerd instance, then they can exploit this remotely. Privilege requirements involve enough permissions to deploy a container image. This is primarily a remote attack if the attacker can submit images to be run. Special conditions include the specific configuration of the CRI plugin and how it handles volume mounts. Risk factors are increased in multi-tenant container environments where untrusted users can deploy images.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| raesene | Link | POC for CVE-2022-23648 |
What are the Available Fixes for CVE-2022-23648?
Available Upgrade Options
- github.com/containerd/containerd
- <1.4.13 → Upgrade to 1.4.13
- github.com/containerd/containerd
- >1.5.0, <1.5.10 → Upgrade to 1.5.10
- github.com/containerd/containerd
- >1.6.0, <1.6.1 → Upgrade to 1.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/containerd/containerd/releases/tag/v1.6.1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3
- https://github.com/containerd/containerd/releases/tag/v1.4.13
- http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html
- https://github.com/containerd/containerd/releases/tag/v1.6.1
- https://github.com/containerd/containerd/releases/tag/v1.4.13
- https://github.com/containerd/containerd
- http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/
What are Similar Vulnerabilities to CVE-2022-23648?
Similar Vulnerabilities: CVE-2023-28103 , CVE-2022-3171 , CVE-2021-41190 , CVE-2020-15257 , CVE-2019-5736
