Is my Docker container vulnerable to cgroup controller escapes?

Containers that are running in privileged mode may be vulnerable to a container escape. This TTP attempts to configure the cgroup controller release_agent to spawn a privileged Pneuma agent on the Docker host system. It is important that containers are not running in privileged mode, as adversaries may abuse cgroup controllers to elevate privilege and escape the container.
This week, we are releasing a Docker container escape TTP:
  • Is my Docker container vulnerable to cgroup controller escapes?

Is my Docker container vulnerable to cgroup controller escapes?

For this week's TTP Tuesday, we're providing two Docker container escapes and a Docker container privilege escalation. These TTPs demonstrate how to escape from a Docker container using a cgroup controller release_agent, and to elevate privilege within a container by abusing hostPID permission. If a container is vulnerable, an attacker may be able to spawn a root shell on the host system.

Cgroups are a Linux kernel feature used to create hierarchical process groups. Linux kernel subsystems use these to modify the process behavior of processes groups, such as limiting the resources allocated to those processes.

A cgroup becomes empty when there are no running processes within it and when it has no child cgroups. When this happens, the cgroup's releaseagent is invoked and performs whatever action is stored in the releaseagent file.

By manipulating a cgroup's release_agent file, it's possible to perform a container escape to the host system.

Note that this is not a vulnerability in Docker code, but rather a common security misconfiguration of Docker containers.

Testing

Execute Operator's Is my Docker container vulnerable to cgroup controller escapes? chain on each Docker container in your environment to test if you are vulnerable.

The chain tests two Docker cgroup controller escapes that will start a privileged Pneuma agent on the Docker host, and a privilege escalation that requires the hostPid flag enabled.

Remediation

The recommended remediation is to not run containers in privileged mode.

Check out the TTP Is my Docker container vulnerable to cgroup controller escape? on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Octavia: https://twitter.com/VVX7

Waseem: https://twitter.com/gerbsec

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Is my Docker container vulnerable to hostPID privilege escalation?
Is my Docker container vulnerable to RDMA cgroup controller escape?
Is my Docker container vulnerable to cgroup controller escape?