TF 0157 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
SYS_MODULE capability added
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | misconfiguration |
Description
Granting the SYS_MODULE capability to containers allows them to load or unload kernel modules, which bypasses key security boundaries. This exposes the container host to elevated risks, as it grants extensive control over the underlying system.
Impact
If exploited, an attacker with access to such a container could install malicious kernel modules or alter system-level behavior, potentially leading to privilege escalation, host compromise, and full control over the infrastructure.
Resolution
To mitigate potential security risks, it is strongly recommended to remove the SYS_MODULE capability from 'containers[].securityContext.capabilities.add'. It is advisable to follow the practice of dropping all capabilities and only adding the necessary ones.