A newly discovered vulnerability in the CRI-O Kubernetes container runtime engine has once again underscored a growing need to better protect Kubernetes environments from malicious actors, while a report has highlighted a concerning disconnect among IT leaders when it comes to protecting Kubernetes containers.
Tracked as CVE-2022-0811, and dubbed cr8escape, the CRI-O bug was discovered by CrowdStrike researchers, who worked alongside Kubernetes at CRI-O to develop a patch, which was issued on Tuesday 16 March.
Container runtimes, like CRI-O or Docker, are used to safely share each Kubernetes node’s kernel and resources with the containerised apps that run on them. The Linux kernel is designed to accept runtime parameters to control its behaviour, some of which are namespaced, which means they can be set in a single container without impacting the wider system. Together, Kubernetes and CRI-O allow pods to update such safe settings while blocking access to unsafe ones.
Cr8escape, however, allows a malicious attacker to wiggle round these safeguards and enact arbitrary kernel parameters on the host, with the result that they can escape from the Kubernetes container, obtain root access on the host, and move anywhere else in the cluster that they want to perform a variety of actions, including exfiltrating data, or deploying malware or ransomware.
It directly affects version 1.19 and upwards of CRI-O, and a number of softwares and platforms that depend on it may also be vulnerable, such as OpenShift 4+, and Oracle Container Engine for Kubernetes. Users of CrowdStrike’s Falcon Cloud Workload Protection service are protected, but all are advised to apply the mitigations, and patch, detailed in CrowdStrike’s disclosure notice.
Crowdstrike’s disclosure coincides with the release of a report from multi-cloud data management specialist Veritas Technologies, which revealed that 91% of UK IT leaders using Kubernetes in their organisations said ransomware attacks conducted through their Kubernetes environments were a concern, and that 53% had experienced one.
Veritas’s study, which also polled decision makers in Apac, Emea and the Americas, found that in general, enterprises are underprepared to face threats against their Kubernetes environments, and in many cases are “dangerously slow” to extend data protection services.
The firm said UK businesses were missing an opportunity to deliver rapid protection to at-risk data sets by failing to extend existing data protection umbrellas to include containerised environments as well as traditional workloads – just 37% of organisations were following this model, the majority were complicating matters by deploying standalone security protections even though the majority also believed there were benefits in taking an integrated approach. Veritas suggested this might be due to a lack of awareness of services that can protect data across traditional, virtual and Kubernetes environments.
Veritas head of technology for the UK and Ireland, Ian Wood, commented: “Kubernetes offers a world of benefits for businesses – it’s affordable, flexible, scalable and really easy to deploy. So, embracing containerisation is a no-brainer for UK enterprises. Unfortunately, this often means that it’s really easy for organisations to surge ahead faster with their Kubernetes implementation than their Kubernetes protection.
“With applications in containerised environments shifting more and more to having stateful data, suddenly, they’ve found themselves with over two-thirds of their mission-critical Kubernetes environments completely unprotected from data loss. While the benefits of Kubernetes are vast, businesses need to ensure their protection measures keep pace so that Kubernetes doesn’t become the Achilles heel in their ransomware defence strategy.”
