Critical Kubernetes Vulnerability Allows Data Theft, Code Injection
A privilege escalation flaw uncovered in Kubernetes could allow attackers to steal sensitive data, inject malicious code, and bring down production apps and services.
A bug in Kubernetes, the open source cluster management software that allows for the orchestration of containerized Linux apps could make it possible for attackers to steal sensitive data or inject malicious code.
Kubernetes, originally developed by Google and open sourced in 2014, brings together containerized services into applications that can be used at scale. The technology is used by organizations worldwide, including Comcast, Goldman Sachs, and SAP.
The vulnerability, a privilege escalation flaw (CVE-2018-1002105) could also bring down production applications and services from within an organization's firewall, Red Hat - whose OpenShift Container Platform, OpenShift Online and OpenShift Dedicated products are affected by the flaw - warned Monday.
Darren Shepherd, co-founder and chief architect at Rancher Labs—a software company that runs a Kubernetes distribution platform, is credited for discovering the bug.
While CVE-2018-1002105 has been patched, both by Kubernetes and distribution platforms, that doesn't discount the fact that it's one of the first - and most serious - bugs to surface in Kubernetes since its inception.
The vulnerability, which garners a Common Vulnerability Scoring System (CVSS) rating of 9.8, could allow compromise pods, multiple running container instances, and in turn, access to secrets, pods, environment variables, running pod/container processes, and persistent volumes.
The community that supports the open source software resolved the vulnerability in v1.10.11, v1.11.5, and v1.12.3 of Kubernetes. Users running versions v1.0.x-1.9.x, v1.10.0-1.10.10, v1.11.0-1.11.4, and v1.12.0-1.12.2 of the software should update however.
As far as distros go, Red Hat is warning that on some versions of its OpenShift Container Platform the bug allows cluster-admin level access to any API hosted by an aggregated API server. That could open the door to the creation of brokered services by an unauthenticated user with escalated privileges, and grant the ability to deploy malicious code.
On OpenShift Dedicated environments, a regular user, "with pod exec/attach/portforward permissions, can gain cluster-level administrative privileges on any compute node that can run that pod. This includes exec access to all running workloads, all current secrets, logs, etc..."
"This is a big deal," Ashesh Badani, lead cloud platforms BU at Red Hat, wrote Monday of the vulnerability.
Red Hat, which was acquired by IBM for $34 billion in October, said Monday that patches to remedy the bug should already be installed if companies use automatic updates.
Jordan Liggitt, a staff software engineer with Google who helps maintain Kubernetes warned of the bug in a GitHub issue tracker late last month.
“With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection," Liggitt wrote.
Infosec experts warned of the bug, encouraging users to update, shortly after it was disclosed Monday morning.
— Tiago M. Vieira (@tiagovieira) December 3, 2018
You must upgrade @kubernetesio . Now. Specifically, there are patched version of #Kubernetes v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1.
If you're still using #Kubernetes v1.0.x-1.9.x, stop. Update to a patched version.
— Patrick O'Reilly (@yllierop) December 3, 2018
This Kubernetes privEsc bug seems bad
— Kenn White (@kennwhite) December 4, 2018
Like Red Hat, Microsoft also confirmed Monday that it had patched its Azure Kubernetes Service (AKS) to address the vulnerability.
In Microsoft's scenario, if exploited, the vulnerability could have allowed unauthenticated external users to access metrics data provided by the Kubernetes metrics server API via a specially crafted payload. Microsoft, for its part, has patched all clusters by removing unauthenticated access to entrypoints that exposed the vulnerability.
"If you were relying on this unauthenticated access to these endpoints from outside the cluster, you will need to switch to an authenticated path," Microsoft wrote Monday.