Vulnerability in Go library allows DoS attacks on some container engines

A vulnerability in the Go library, on which open-source orchestration software for containerized Kubernetes applications is based, could lead to a denial of service (DoS) state and attacks on Podman and CRI-O container engines.

The issue (CVE-2021-20291) affects the Go library called containers / storage. According to security researcher Aviv Sasson of Unit 42 at Palo Alto Networks, the vulnerability could be exploited by placing a malicious image in the registry.

Attempting to extract an image from the registry by an unsuspecting user will result in a “denial of service” condition.

“With this vulnerability, attackers can compromise any container infrastructure that relies on vulnerable container engines, including Kubernetes and OpenShift”, — Sasson said.

CRI-O and Podman are Docker-like container images that are used to perform actions and manage containers in the cloud. The containers/storage library is used by the CRI-O and Podman engines to manage the storage and loading of container images.

While exploiting the vulnerability, CRI-O cannot retrieve new images, launch new containers (even if they have already been retrieved), retrieve lists of local images, or destroy containers. Likewise, Podman cannot fetch new images, fetch running modules, launch new containers (even if they are already fetched), execute them in containers, fetch existing images, or destroy existing containers.

“An attacker could load a malicious layer into the registry that aims to exploit a vulnerability, and then load an image that uses multiple layers, including the malicious one. Then, when the victim starts to extract the image from the registry, it will download the malicious layer as part of this process, causing the vulnerability”, — explained Sasson.

Once the container engine starts loading the malicious layer, the end result is a process crash.

The vulnerability was fixed in container version 1.28.1, CRI-O version 1.20.2 and Podman version 3.1.0.

Interestingly, Intezer experts recently reported that since 2017, the number of malwares written in the Go language has increased by 2000% and is now commonplace.

Golang is often used by “government” hackers, lower-level intruders, and information security professionals (usually to create penetration tester tools).

Previously, experts noted that in recent years, attackers are gradually moving away from using C and C++, increasingly preferring Go, a programming language developed and launched by Google in 2007. Although the first malware on Go appeared back in 2012, it took a while for the language to gain such popularity.

It may be also interesting to know that Systems with Plex Media Server are used to amplify DDoS attacks, and that DDoS attack in Iran was conducted through Telegram proxy servers.