CVE-2022-27650: 
NixOS vulnerability analysis and mitigation

CVE-2022-27650 is a security vulnerability discovered in crun and Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities. The vulnerability was discovered in March 2022 and affects crun versions prior to 1.4.4 (GHSA Advisory).

The vulnerability creates an atypical Linux environment by allowing containers to start with non-empty inheritable Linux process capabilities. This enables programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2) execution. The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability primarily affects containers that use Linux users and groups to perform privilege separation inside the container. While the bug did not affect the container security sandbox (as the inheritable set never contained more capabilities than were included in the container's bounding set), it created an environment where unprivileged users and processes could gain additional inheritable file capabilities up to the container's bounding set (Red Hat Bugzilla).

The vulnerability has been fixed in crun version 1.4.4. Users should update to this version, and running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. As a workaround, the entrypoint of a container can be modified to use a utility like capsh(1) to drop inheritable capabilities prior to the primary process starting (Red Hat Bugzilla).