CVE-2022-23648
📋 TL;DR
This vulnerability in containerd allows containers with specially-crafted image configurations to access read-only copies of arbitrary host files and directories. It bypasses container security policies and can expose sensitive information. Affected users include anyone running vulnerable containerd versions through CRI implementations in Kubernetes or crictl.
💻 Affected Systems
- containerd
- Kubernetes (when using containerd CRI)
- crictl (when using containerd CRI)
📦 What is this software?
Containerd by Linuxfoundation
Containerd by Linuxfoundation
Containerd by Linuxfoundation
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain read access to sensitive host files like SSH keys, Kubernetes secrets, configuration files, and credentials, leading to lateral movement and privilege escalation.
Likely Case
Unauthorized access to container host files containing application secrets, configuration data, or other sensitive information.
If Mitigated
Limited impact if strict network policies, minimal host mounts, and proper container isolation are already implemented.
🎯 Exploit Status
Exploitation requires ability to create or modify container images. Public proof-of-concept exists in Packet Storm Security reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: containerd 1.6.1, 1.5.10, or 1.4.12
Vendor Advisory: https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf
Restart Required: Yes
Instructions:
1. Identify containerd version: 'containerd --version'. 2. Stop containerd service: 'systemctl stop containerd'. 3. Update containerd using package manager: 'apt-get update && apt-get install containerd' or 'yum update containerd'. 4. Verify new version: 'containerd --version'. 5. Restart containerd: 'systemctl start containerd'. 6. Restart dependent services like kubelet if using Kubernetes.
🔧 Temporary Workarounds
Restrict Image Sources
allOnly allow container images from trusted registries with image signing and verification.
Configure containerd to use allowed registries only
Implement image signature verification with cosign or similar
Implement Pod Security Standards
linuxUse Kubernetes Pod Security Standards to restrict privileged containers and host path mounts.
kubectl label namespace <namespace> pod-security.kubernetes.io/enforce=restricted
Apply PodSecurityPolicy or Pod Security Admission controller
🧯 If You Can't Patch
- Implement strict network policies to limit container communication and prevent lateral movement
- Use read-only root filesystems for containers and minimize host path mounts
🔍 How to Verify
Check if Vulnerable:
Check containerd version: 'containerd --version | grep -E "1\.(4\.(0-11)|5\.(0-9)|6\.0)"'. If version matches, system is vulnerable.Check Version:
containerd --versionVerify Fix Applied:
Verify containerd version is 1.6.1, 1.5.10, or 1.4.12+: 'containerd --version' should show patched version.📡 Detection & Monitoring
Log Indicators:
- Unusual container image pulls from untrusted sources
- Containerd logs showing volume mount operations with suspicious paths
- Kubernetes audit logs showing pod creation with custom image configurations
Network Indicators:
- Containers making unexpected outbound connections after startup
- Traffic to external registries for unknown images
SIEM Query:
source="containerd" AND "volume" AND ("mount" OR "image") | search path="*" | where path contains sensitive directories like "/etc", "/root", "/var/run/secrets"🔗 References
- http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html
- https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70
- https://github.com/containerd/containerd/releases/tag/v1.4.13
- https://github.com/containerd/containerd/releases/tag/v1.5.10
- https://github.com/containerd/containerd/releases/tag/v1.6.1
- https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/
- https://security.gentoo.org/glsa/202401-31
- https://www.debian.org/security/2022/dsa-5091
- http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html
- https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70
- https://github.com/containerd/containerd/releases/tag/v1.4.13
- https://github.com/containerd/containerd/releases/tag/v1.5.10
- https://github.com/containerd/containerd/releases/tag/v1.6.1
- https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO/
- https://security.gentoo.org/glsa/202401-31
- https://www.debian.org/security/2022/dsa-5091
