Palo Alto’s Unit 42 team reported a vulnerability in one of the Go libraries that Kubernetes and OpenShift rely on.
Aviv Sasson, the security researcher at Palo Alto’s Unit 42 team, first found the flaw. Attackers can place a malicious image in the registry, and when an unsuspecting user pulls that image from the registry, it leads to DoS.
“Through this vulnerability, malicious actors could jeopardize any containerized infrastructure that relies on these vulnerable container engines, including Kubernetes and OpenShift,” Sasson said in a post on Wednesday.
CRI-O and Podman are container images, similar to Docker, that are used to perform actions and manage containers in the cloud. They use the containers/storage library for storage and downloading container images.
When the vulnerability is triggered, CRI-O and Podman fail to perform regular tasks like pulling new images, starting new containers, retrieving local image lists, retrieve running pods, and exec into containers, Sasson said.
Sasson explained that many clusters use CRI-O and are therefore vulnerable. The consequences could be rather grave:
“In an attack scenario, an adversary may pull a malicious image to multiple different nodes, crashing all of them and breaking the cluster without leaving a way to fix the issue other than restarting the nodes.”
He explained the possible chain of events that can lead to a deadlock, and the container engine would not execute any new requests.
“An adversary could upload to the registry a malicious layer that aims to exploit the vulnerability and then upload an image that uses numerous layers, including the malicious layer, and by that create a malicious image,” Sasson explained. “Then, when the victim pulls the image from the registry, it will download the malicious layer in that process and the vulnerability will be exploited.”
The bug was patched in version 1.28.1 of containers/storage; CRI-O version v1.20.2; and Podman version 3.1.0.
Admins are encouraged to update the products as soon as possible.