A local privilege escalation vulnerability (CVE-2021-22555) was recently discovered in the Linux Netfilter module. This vulnerability was exploited in kCTF to attack Kubernetes pod containers to achieve container escape. CVE-2021-22555 poses high risks. We recommend that you detect and fix it as soon as possible.

Detected vulnerability

  • Vulnerability ID: CVE-2021-22555
  • Vulnerability severity: high
  • Affected versions: Linux operating systems whose kernel versions are 2.6.19(9fa492cdc160cd27ce1046cb36f47d3b2b1efa21) or later.
  • Affected Elastic Compute Service (ECS) images:
    • Alibaba Cloud Linux 2/3
    • CentOS 7/8
    • RedHat 7/8
    • Ubuntu 14/16/18/20
    • Debian 8/9/10
    • SUSE Linux Enterprise Server 12/15
    • OpenSUSE 42.3/15

Details

A heap out-of-bound write vulnerability was found in the IPT_SO_SET_REPLACE or IP6T_SO_SET_REPLACE setsockopt implementations in the Linux Netfilter module. This vulnerability allows local users to escalate privileges by using username space and can be exploited in kCTF to attack Kubernetes pod containers to achieve container escape. This vulnerability has existed in Linux kernel code for 15 years.

Security suggestions

Upgrade your Linux kernels to the following secure versions as soon as possible:
  • 5.12(b29c457a6511435960115c0f548c4360d5f4801d)
  • 5.10.31
  • 5.4.113
  • 4.19.188
  • 4.14.231
  • 4.9.267
  • 4.4.267

RedHat provides the following temporary fix suggestion:

Run the following command to disallow unprivileged users to execute CLONE_NEWUSER and CLONE_NEWNET to mitigate the impact of this vulnerability:
echo 0 > /proc/sys/user/max_user_namespaces

References

Announcing party

Alibaba Cloud Computing Co., Ltd.