A local privilege escalation vulnerability (CVE-2021-22555) was recently discovered in the Linux Netfilter module. This vulnerability was exploited in kCTF to attack Kubernetes pod containers to achieve container escape. CVE-2021-22555 poses high risks. We recommend that you detect and fix it as soon as possible.
Detected vulnerability
- Vulnerability ID: CVE-2021-22555
- Vulnerability severity: high
- Affected versions: Linux operating systems whose kernel versions are
2.6.19(9fa492cdc160cd27ce1046cb36f47d3b2b1efa21)
or later. - Affected Elastic Compute Service (ECS) images:
- Alibaba Cloud Linux 2/3
- CentOS 7/8
- RedHat 7/8
- Ubuntu 14/16/18/20
- Debian 8/9/10
- SUSE Linux Enterprise Server 12/15
- OpenSUSE 42.3/15
Details
A heap out-of-bound write vulnerability was found in the IPT_SO_SET_REPLACE or IP6T_SO_SET_REPLACE setsockopt implementations in the Linux Netfilter module. This vulnerability allows local users to escalate privileges by using username space and can be exploited in kCTF to attack Kubernetes pod containers to achieve container escape. This vulnerability has existed in Linux kernel code for 15 years.
Security suggestions
5.12(b29c457a6511435960115c0f548c4360d5f4801d)
5.10.31
5.4.113
4.19.188
4.14.231
4.9.267
4.4.267
RedHat provides the following temporary fix suggestion:
echo 0 > /proc/sys/user/max_user_namespaces
References
Announcing party
Alibaba Cloud Computing Co., Ltd.