Critical Vulnerability “CopyFail” Emerges in Linux Kernel! Easy Container Escape via Page Cache Manipulation

📰 News Overview

• A highly dangerous new vulnerability called “CopyFail” has been released, enabling local privilege escalation in Linux.
• It operates by directly rewriting the Linux “page cache” without any code injection into the kernel code.
• By exploiting this vulnerability, attackers can tamper with the contents of read-only system files (like su) in memory, allowing them to seize root privileges.

💡 Key Points

• Deterministic Attack: Unlike traditional vulnerabilities, this allows for a “deterministic” attack that doesn’t rely on chance, ensuring a high success rate.
• Breaking Container Boundaries: If containers share the same image layer, this vulnerability can be exploited to execute cross-container poisoning or escape from a container by leveraging shared page cache characteristics.
• Stealthy: The attack modifies only the cache in kernel memory, leaving the on-disk binaries untouched, making it difficult for traditional scanners to detect.

🦈 Shark’s Eye (Curator’s Perspective)

The brilliance of this vulnerability lies in how it exploits Linux’s efficiency mechanism of “shared page cache”! Typically, containers are supposed to be isolated, but the kernel optimizes memory by showing the same cache for identical files to save resources. By exploiting this, swapping the contents of read-only files from another container is nothing short of a Columbus egg-level evil! Particularly, the combination of IPSec-related code (authencesn) and the splice(2) system call creates a situation where the kernel is led to believe “this is temporary data,” while actually rewriting critical caches. It’s a specific implementation that leaves no escape route. This is a massive news that impacts the entire backbone of AI infrastructure, Linux servers!

🚀 What’s Next?

It’s urgent for various Linux distributions to roll out kernel updates. Especially in shared node environments like Kubernetes, the commonality of image layers could become a foothold for attacks, potentially leading to a reevaluation of container separation designs.

💬 Shark’s Insight

Manipulating the cache is like a shark lurking from the shadows, ready to pounce on its prey! Infrastructure teams need to check for patches immediately! 🦈🔥

📚 Term Glossary

• Page Cache: A copy of data held in memory by the kernel to accelerate access to files on disk. This vulnerability directly alters this cache.

• AF_ALG: An interface for accessing the kernel’s cryptographic subsystem from user space. It was exploited as an entry point for attacks related to this vulnerability.

• Deterministic (Vulnerability): An attack method that guarantees success if specific steps are followed, unaffected by timing or luck. It has high reproducibility and poses a severe threat to defenders.

• Source: CopyFail: From Pod to Host