Critical Kubernetes privilege escalation flaw patched, update ASAP!

A critical privilege escalation vulnerability affecting the popular open source cluster management and container orchestration software Kubernetes has been patched on Monday.

The project maintainers are urging users to update their installations as soon as possible, since the flaw can be easily exploited remotely by unauthenticated attackers to gain access to vulnerable Kubernetes clusters and the applications and data within them.

About the vulnerability (CVE-2018-1002105)

CVE-2018-1002105 affects the Kubernetes API server – more specifically, its proxy handling function.

“This vulnerability allows specially crafted requests to establish a connection through the Kubernetes API server to backend servers (such as aggregated API servers and kubelets), then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection,” Kubernetes Product Security Team member Jordan Liggitt explained.

The vulnerability has been fixed in Kubernetes v1.10.11, v1.11.5, v1.12.3 and v1.13.0-rc.1. There are some mitigation actions those who don’t want to update just yet can perform but Liggitt warns that they can be disruptive.

Finally, he pointed out an additional danger: detecting whether the vulnerability has been exploited is far from simple, as the unauthorized requests are made over an established connection and will not appear in the Kubernetes API server audit logs or server log.

“The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server,” he noted.

Red Hat offers patches as well

According to Red Hat, whose OpenShift container offerings are managed by Kubernetes, a malicious user with pod exec/attach/portforward privileges could exploit the flaw to access any container running on the same node as their pod, allowing them access to sensitive workloads, data and even production applications.

Alternatively, an unauthenticated user can exploit the API extension feature used by metrics and service catalog in Kubernetes to gain cluster-admin privileges to the service broker and create new services, potentially allowing for the injection of malicious code.

“It’s important to note that all Kubernetes-based services and products – including Red Hat OpenShift Container Platform, Red Hat OpenShift Online, and Red Hat OpenShift Dedicated – are affected,” Ashesh Badani, the lead for Red Hat’s OpenShift business unit, pointed out. “Red Hat has begun delivering patches and pushed service updates to affected users, enabling them to address this flaw either immediately or when it best fits their specific risk profile.”

He then confirmed via Twitter that “OpenShift is providing patches back to v3.2 (based on Kube 1.2) which released in May 2016.”

More information about the flaw and its imact can be had here.