Open Source Technology Improvement Fund is thrilled to report the results of a security audit of CRI-O. CRI-O is an open source software (OSS) project that is an implementation of the Kubernetes Container Runtime Interface. It can run any OCI-compatible container, providing an enormous number of applications and environments. 

The primary security finding of the work is a single high-severity issue. A few minor issues were found as well, however, the Audit Team’s view from completing this engagement is that CRI-O is a well-written project that has a high level of security assurance.

The high severity finding is a denial of service attack on a given cluster by way of resource exhaustion of nodes. The attack is performed by way of pod creation, which means any user that can create a pod can cause denial of service on the given node that is used for pod creation. The CVE for the this vulnerability is CVE-2022-1708 and Github advisory can be found here: https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j

Interestingly, the denial of service attack also occurred in other container runtime interface implementations, most notably Containerd. Specifically, the exact same attack that exhausts memory in CRI-O can be used to exhaust memory of Containerd. The CVE for this issue in containerd is CVE-2022-31030 and the Github security advisory can be found here: https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf 

Furthermore, an extensive fuzzing suite targeting the CRI-O infrastructure was integrated as a result of this engagement, providing long-lasting improvements to the security posture of the project.

Lastly, we commissioned Chainguard to perform a dedicated Supply Chain Security Assessment of CRI-O as part of the security audit. The assessment was designed to analyze CRI-O practices and recommend steps and strategies to increase SLSA compliance. The full assessment can be found in the report. 

Thank you to Cloud Native Computing Foundation (CNCF) for funding this audit and entrusting Open Source Technology Improvement Fund to facilitate it. 

Special thanks to David Korczynski and Adam Korczynski of Ada Logics for auditing the software, Dan Lorenc and Adolfo García Veytia of Chainguard, and to the CRI-O team’s Peter Hunt and Mrunal Patel for their support. 

Everyone around the world depends on OSS. We’d love to do more security audits to proactively find and fix vulnerabilities! If you’re interested in financially supporting this work, contact [email protected].

References: 

FULL AUDIT REPORT (PDF)

https://ostif.org/wp-content/uploads/2022/06/CRI-O-audit-by-ada-logics-chainguard-ostif.pdf

Announcement by Ada Logics

https://adalogics.com/blog/cri-o-security-engagement

Announcements by the Cloud Native Computing Foundation

https://www.cncf.io/blog/2022/06/06/ostifs-audit-of-cri-o-is-complete-high-severity-issues-found-and-fixed/

https://www.cncf.io/blog/2022/06/06/ada-logics-cri-o-holistic-security-audit-engagement/