The “hotpatch” launched by Amazon Web Services (AWS) in response to the Log4Shell vulnerabilities may very well be leveraged for container escape and privilege escalation, permitting an attacker to grab management of the underlying host.
“Aside from containers, unprivileged processes can also exploit the patch to escalate privileges and gain root code execution,” Palo Alto Networks Unit 42 researcher Yuval Avrahami mentioned in a report printed this week.
The points — CVE-2021-3100, CVE-2021-3101, CVE-2022-0070, and CVE-2022-0071 (CVSS scores: 8.8) — have an effect on the hotfix options shipped by AWS, and stem from the truth that they’re designed to seek for Java processes and patch them in opposition to the Log4j flaw on the fly however with out guaranteeing that the brand new Java processes are run inside the restrictions imposed on the container.
“Any process running a binary named ‘java’ – inside or outside of a container – is considered a candidate for the hot patch,” Avrahami elaborated. “A malicious container therefore could have included a malicious binary named ‘java’ to trick the installed hot patch solution into invoking it with elevated privileges.”
In the next step, the elevated privileges may very well be weaponized by the malicious ‘java’ course of to flee the container and acquire full management over the compromised server.
A rogue unprivileged course of, in an identical method, might have created and executed a malicious binary named “java” to trick the hotpatch service into working it with elevated privileges.
Users are really helpful to improve to the mounted sizzling patch model as quickly as doable to stop potential exploitation, however solely after prioritizing patching in opposition to the actively exploited Log4Shell flaws.
“Containers are often used as a security boundary between applications running on the same machine,” Avrahami mentioned. “A container escape allows an attacker to extend a campaign beyond a single application and compromise neighboring services.”