DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2022-27651: The Dangerous Inheritance: How CVE-2022-27651 Broke Container Least Privilege

#security #cve #cybersecurity

The Dangerous Inheritance: How CVE-2022-27651 Broke Container Least Privilege

Vulnerability ID: CVE-2022-27651
CVSS Score: 6.8
Published: 2022-04-01

A deep dive into a subtle but significant flaw in how Buildah and Docker Engine initialized Linux process capabilities. By misconfiguring the Inheritable set, these runtimes allowed unintended privilege escalation within containers, turning the complex mathematics of Linux permissions against the security model.

TL;DR

Buildah and Docker Engine (Moby) were initializing containers with a fully populated 'Inheritable' capability set. This violated the principle of least privilege, allowing processes within the container to easily elevate their privileges to the container's maximum bounding set simply by executing binaries with file capabilities set. It's a classic case of "default insecure" configuration.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-276
  • Attack Vector: Local (Container)
  • CVSS: 6.8 (Medium)
  • Impact: Privilege Escalation (Intra-Container)
  • Exploit Status: PoC Available
  • Vulnerable Component: OCI Runtime Spec Generation

Affected Systems

  • Buildah (versions <= 1.24.0)
  • Moby / Docker Engine (versions < 20.10.9)
  • Podman (via Buildah dependency)
  • Buildah: <= 1.24.0 (Fixed in: 1.25.0)
  • Moby (Docker): < 20.10.9 (Fixed in: 20.10.9)

Code Analysis

Commit: e7e55c9

Fix CVE-2022-27651: Do not set Inheritable capabilities in OCI spec

- g.Config.Process.Capabilities.Inheritable = caps
+ g.Config.Process.Capabilities.Inheritable = []string{}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade container runtimes immediately.
  • Audit container images for binaries with file capabilities (getcap -r /).
  • Run containers with a read-only root filesystem (--read-only) to prevent attackers from introducing new binaries with capability bits.
  • Explicitly drop unused capabilities using --cap-drop=ALL and only add back what is strictly necessary.

Remediation Steps:

  1. Update Buildah to version 1.25.0 or later.
  2. Update Docker Engine (Moby) to version 20.10.9 or later.
  3. If patching is impossible, modify your container entrypoint scripts to manually zero out the Inheritable set using a tool like capsh before executing the payload application: exec capsh --inh= --user=nobody -- -c '...'

References

Read the full report for CVE-2022-27651 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)