CopyFail: From Pod to Host
a day ago
- #Container Escape
- #Page Cache Vulnerability
- #Linux Kernel Security
- Copy Fail is a new Linux local privilege escalation vulnerability that exploits a kernel memory corruption flaw without injecting code, allowing a controlled 4-byte write into the Linux page cache, enabling attackers to rewrite cached file contents.
- The vulnerability can be used for cross-container poisoning or container escape by exploiting shared page cache across containers, as overlayfs mounts share underlying address_space when layers are deduplicated by content hash.
- Attack scenarios include poisoning shared base layers to compromise co-located pods or escaping containers by poisoning host binaries like runc, leveraging the shared page cache to achieve host root execution.
- Detection methods like image registry scanning and file integrity monitoring are ineffective as the disk remains unchanged; runtime EDR, seccomp profiles, and VM isolation are recommended mitigations.
- Patch the host kernel, block AF_ALG sockets with seccomp, and use VM isolation for high-security workloads to mitigate Copy Fail and similar vulnerabilities.