📖

Linux Docker release_agent cgroups escape

Formula

Group

ConceptOS

Keywords

Docker Linux Privilege Escalation

Last edited time

May 21, 2024 2:57 PM

Slug

Status

Review

Title

Code inside page

Github

👉 Overview
👀 What ?
🧐 Why ?
⛏️ How ?
⏳ When ?
⚙️ Technical Explanations
🖇️ References

👉 Overview

👀 What ?

Linux Docker release_agent cgroups escape is a security issue that allows a user to gain unauthorized access to the host system from within a Docker container. It relies on the misuse of a feature in cgroups, a Linux kernel feature used to limit and isolate resource usage of process groups.

🧐 Why ?

Understanding this security issue is important because it deals with a potential vulnerability in Docker containers, which are widely used in the industry for deploying applications. If not properly monitored and mitigated, it can lead to unauthorized access and control of host systems, leading to potential data theft, disruption of services, or further attacks on the network.

⛏️ How ?

Mitigation of this issue involves ensuring that Docker containers are run with least privilege, regularly updating Docker to the latest version, and monitoring container activity for any unusual behavior. It's also recommended to use user namespaces to map container root users to non-privileged host users.

⏳ When ?

The Linux Docker release_agent cgroups escape issue has been known since Docker's early days and continues to be a concern, especially in environments where Docker containers are not properly isolated and secured.

⚙️ Technical Explanations

The security issue, known as Linux Docker release_agent cgroups escape, is a vulnerability that leverages a feature in cgroups, a Linux kernel feature used to limit and manage the resource usage of process groups. The weakness lies in the cgroups 'release_agent' parameter, which triggers the execution of a specific script when cgroups become empty.

In a Docker context, if a user within a Docker container has write access to this parameter, they can specify a script that will execute with the privileges of the host system. This leads to what we call a privilege escalation, where the user gains unauthorized access and control over the host system, beyond what they were initially permitted.

The vulnerability is particularly exploitable in situations where the Docker daemon is running as the root user or if the Docker container is launched with the '--privileged' flag. Both scenarios provide the Docker container with a higher level of permissions than is typically safe, increasing the risk of this security issue.

To mitigate this issue, it's important to follow good security practices such as running Docker containers with the least privilege necessary, keeping Docker updated to its latest version, and monitoring container activity for unusual behaviors. Additionally, implementing user namespaces to map container root users to non-privileged host users is recommended. This security issue has been known since Docker's early days and continues to be a concern, particularly in environments where Docker containers are not properly isolated and secured.

Let's take a look at a detailed example of how the Linux Docker release_agent cgroups escape issue might occur, and how to mitigate it.

Step 1 - Setup: Imagine you have a Docker container running a web application. This container is launched with the --privileged flag, giving it extended privileges:

docker run --privileged -d my_web_application

Step 2 - Exploitation: An attacker who has gained access to the container could attempt to write to the release_agent parameter of the cgroup:

echo "/tmp/evil_script.sh" > /sys/fs/cgroup/release_agent

In this case, /tmp/evil_script.sh is a script that the attacker has written which, when executed, performs malicious actions on the host system.

Step 3 - Triggering: The attacker then makes the cgroup empty, triggering the release_agent:

echo 0 > /sys/fs/cgroup/my_cgroup/tasks

This executes the evil_script.sh on the host system with root privileges, leading to privilege escalation.

Mitigation:

To mitigate such an issue, there are several steps you can take:

Don't run containers with the -privileged flag: This reduces the permissions that a potential attacker might have within the container:

docker run -d my_web_application

Use user namespaces: This maps the container's root user to a non-privileged user on the host:

dockerd --userns-remap=default

Keep Docker updated: Regularly update Docker to the latest version to ensure you have the latest security patches.
Monitor container activity: Use tools like Docker Bench for Security to automatically check for potential security issues.

Remember, this is a hypothetical example for educational purposes. Always ensure you follow best security practices when setting up and managing your Docker containers.