Back to all scenarios
Scenario #295
Security
Kubernetes v1.22, CRI-O on Bare Metal

Node Compromise via Insecure Container Runtime

A CVE in the container runtime allowed a container breakout, leading to full node compromise.

Find this helpful?
What Happened

An attacker exploited CRI-O vulnerability (CVE-2022-0811) that allowed containers to overwrite host paths via sysctl injection.

Diagnosis Steps
  • 1Detected abnormal node CPU spike and external traffic.
  • 2Inspected containers – found sysctl modifications.
  • 3Cross-verified with known CVEs.
Root Cause

Unpatched CRI-O vulnerability and default seccomp profile disabled.

Fix/Workaround
• Upgraded CRI-O to patched version.
• Enabled seccomp and AppArmor by default.
Lessons Learned

Container runtimes must be hardened and patched like any system component.

How to Avoid
  • 1Automate CVE scanning for runtime components.
  • 2Harden runtimes with security profiles.
Previous ScenarioNext Scenario