• CrowdStrike discovered a vulnerability in Flexera’s FlexNet Inventory Agent that can be exploited to allow arbitrary code execution and privilege escalation under certain conditions.
  • The vulnerability was disclosed to Flexera and is tracked under CVE-2023-29082.
  • The mitigation was included in the 19.4.0 version of the agent that was released by Flexera in April 2023. The advisory was published by Flexera in early December 2023 and can be found here.
  • The CrowdStrike Falcon® platform helps protect organizations of all sizes from sophisticated breaches, including vulnerability exploitations, with industry-leading cloud-native application protection platform (CNAPP) capabilities.

CrowdStrike’s cloud security team discovered a new vulnerability (CVE-2023-29082) in Flexera’s FlexNet Inventory Agent. When exploited, an attacker can escape from a container and gain root access to the host. Exploitation of CVE-2023-29082 can allow an attacker to perform a variety of actions on objectives, including execution of malware and exfiltration of data.

Attempted exploits of this and similar vulnerabilities can be detected by the Falcon sensor for Linux or Falcon Cloud Workload Protection, built into the CrowdStrike Falcon® Cloud Security module. CrowdStrike disclosed the vulnerability to Flexera earlier this year, it was acknowledged, and the updated version of the FlexNet Inventory Agent that mitigates this vulnerability was released in April 2023. It is recommended that FlexNet Inventory Agent users upgrade to the 19.4.0 version or above and make sure directories that attackers may have write access to, including container filesystem directories, are excluded from the scans.

Impact

The vulnerability allows malicious users with permissions to deploy container images to escalate to root privileges on vulnerable Linux hosts that run FlexNet Inventory Agent.

Affected Software

  • FlexNet Inventory Agent versions below 19.4.0 don’t exclude container filesystem directories from scans by default.

CrowdStrike Detection

The Falcon Cloud Security module protects Kubernetes and containers, and the Falcon sensor detects attempts to exploit CVE-2023-29082 and similar attacks. The Falcon sensor for Linux has visibility into both host and container activities, allowing it to detect this type of behavior at runtime.

Figure 1. The Falcon platform detects an attempted attack at runtime (click to enlarge)

Remediation

  • Upgrade FlexNet Inventory Agent to the 19.4.0 version or above
  • Exclude any directories that attackers may have access to from scans

Vulnerability Details

FlexNet Inventory Agent is a proprietary inventory agent developed by Flexera that is capable of scanning Linux hosts to determine hardware and software presence on a given machine. As a part of the scan, the agent attempts to determine the Java version by executing the java binary with the -version flag for every occurrence of the binary. It’s important to note here that the agent runs with root privileges, so any executable named java will be executed with these privileges. If an attacker has write access to any of the scanned directories, it is possible to deploy a malicious binary named java and get it executed with root permissions. One of the possible attack scenarios includes a malicious actor deploying a container with malware named java to the host scanned by FlexNet Inventory Agent.

Container runtimes like Docker and Containerd keep container filesystem layers under /var/lib/ such as:

/var/lib/docker/overlay2/<hash>/diff/
/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/<number>/fs/
/var/lib/kubelet/pods/<hash>/volumes/kubernetes.io/<name>/mount/

Users may configure the FlexNet Inventory Agent to scan these directories. This means if the agent is configured to scan them, malicious actors will be able to break out of a container and escalate to root privileges on the Linux host.

Proof of Concept: Leveraging CVE-2023-29082 to Achieve Code Execution on the Host

We can put all of this information together to create a simple container escape. We start with a basic reverse shell written in C and add a few tweaks. First, we fork and daemonize so we don’t block the agent. Then the original process will print out a fake Java version string to make it seem like nothing is wrong. After the agent executes our program, we’ll have a reverse shell running in the background with root privileges.

We compile the payload in a container and rename the executable file to java. From within the same container, we launch a listener for our reverse shell using the netcat command nc -lkv 4444.

Now we wait for the scan to run. The scan will take a while, but at some point it will execute our payload and we’ll see a connection in our netcat listener.

root@94678c917cd5:/# nc -lkv 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.17.0.1.
Ncat: Connection from 172.17.0.1:35774.
whoami
root
hostname
test-virtual-machine

We have now broken out of our container and have full root privileges on the host system.

Conclusion

This vulnerability demonstrates the importance of runtime protection for detecting and preventing attacks on containers and cloud infrastructure.

Falcon Cloud Security provides a comprehensive approach to cloud security, delivering a combination of runtime security and proactive measures, including assessments for indicators of misconfigurations (IOMs) and indicators of attack (IOAs) as well as compliance checks. It also detects and prevents breaches by various types of actors, including cryptojacking hacktivists, eCrime groups and nation-state actors, providing a complete and robust solution for securing your cloud infrastructure.

See Falcon Cloud Security in action in this short product video and get hands-on with an interactive demo.

Watch how Falcon Cloud Security’s Attack Path Analysis automatically stitches together the complete trajectory of an adversary, cutting investigation and response time.

Additional Resources

By 1

Leave a Reply

Your email address will not be published. Required fields are marked *