Flaws also allow malicious actor to control all guest VMs
A talk delivered at the virtual Black Hat Asia conference today by security researcher Yuval Avrahami detailed how the flaws in Kata’s containers could also be exploited to compromise other guest users.
Containers are similar to virtual machines (VM) in that they enable software to be run reliably in different environments. However, unlike VMs, containers share the host’s kernel.
Vulnerabilities in the host kernel could lead to breakouts, Avrahami told conference attendees.
Kata’s open source containers mitigate this by spawning each container inside a lightweight VM and can function as the underlying runtime in Docker and Kubernetes, Avrahami explained.
This means that even if an attacker breaks out of a container, they are still confined to a VM and don’t have access to the host kernel.
However, as Avrahami demonstrated, this cannot be relied on as a foolproof security method.
Sandboxed containers are often used in multi-tenancy environments and by cloud service providers, which provide a service for multiple customers on the same platform.
Kata containers contain a number of vulnerabilities that can be chained to not only compromise the host kernel, but other users’ machines too.
Kata doesn’t enforce device cgroup, meaning a guest can gain access to the hardware of the guest container. This means that by manipulating the hard disk, they could gain RCE on the host.
However, even with access to the hard disk, a malicious attacker cannot break out of the sandbox due to the page and dentry cache.
Linux uses a page cache so that it doesn’t have to use the hard disk every time it needs to fetch something. Therefore, Avrahami said, an attacker would have to force the guest kernel to free the page cache.
This can be done by flooding the page cache with garbage code to clear it, forcing the kernel agent to read from the malicious hard disk, resulting in a sandbox breakout.
By then chaining this vulnerability with a malicious image vulnerability, Avrahami was able to achieve RCE on the host.
Exploiting guest networks
The attack doesn’t end there.
Kata uses Cloud Hypervisor, which contained a vulnerability that persists guest filesystem changes to the underlying image file on the host.
This means that a malicious guest can overwrite the image file to gain control of all subsequent guest VMs – a serious danger for cloud service providers.
All vulnerabilities were disclosed to the vendor and have been patched.
Avrahami warned container users not to rely on the technology as a sole source of security protection.
“Containers are only as secure as their configuration, and a simple way to improve their security is to drop unused privileges,” the researcher said.
He added: “You really should remove capabilities from the container that it doesn’t use.”
Avrahami also warned that while sandboxes do improve security by limiting the attack surface, they aren’t “magic”.
“An attacker would find a way to break out,” he said.
“So the point here is don’t bet all of your chips on one bet, don’t only rely on the sandbox.”