Container code cluster-fact: There's a hole in Kubernetes that lets miscreants cause havoc

Critical bug brings bevy of patches


The keepers of Kubernetes, the rather popular software container orchestration system, have pushed out three new releases that patch a critical flaw.

In a post to the Kubernetes announcement list on Monday, Google senior staff engineer Jordan Liggitt says Kubernetes version v1.10.11, v1.11.5, and v1.12.3 have been made available to fix CVE-2018-1002105, a privilege escalation vulnerability.

The code error in the open source project has been designated severity 9.8 out of 10 because it can be executed remotely, the attack is not complex and no user interaction or special privileges are required .

According to Liggitt, a malicious user could use the Kubernetes API server to connect to a backend server to send arbitrary requests, authenticated by the API server's TLS credentials.

The API server is the main management entity in Kubernetes. It talks to the distributed storage controller etcd and to kublets, the agents overseeing each node in a cluster of software containers.

The bug was spotted by Darren Shepherd, chief architect and co-founder at Rancher Labs.

Red Hat OpenShift, an enterprise-oriented container platform, has introduced patches for all product variants.

"This is a big deal," said Ashesh Badani, veep and general manager of OpenShift at Red Hat, in a blog post. "Not only can [miscreants] steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall."

There are two primary attack vectors. Using the first, an individual possessing the Pod exec/attach/portforward privileges granted to a normal user by default can become a cluster-admin, thereby gaining access to any container in the Pod and potentially any information therein.

The second method lets an unauthenticated user access the API to create unapproved services, which could be used to inject malicious code.

"Any unauthenticated user with access to a Kubernetes environment can hit the discovery endpoint which proxies the aggregated API server (not the kube-apiserver)," explained Christopher Robinson, manager of product security assurance at Red Hat, in an email to The Register.

"Crafting a message to the API so that an upgrade fails can leave the connection alive and allows re-use with arbitrary headers, and then allows cluster-admin level access to that aggregated API server. This could be used against the service-catalog that would allow for the creation of arbitrary service instances."

The vulnerability is particularly troubling because any unauthorized requests cannot be easily detected. According to Liggitt, they do not show up in the Kubernetes API server audit logs or server log. Malicious requests are visible in kublet or aggregated API server logs, but there's nothing that distinguishes them from authorized and proxied requests via the Kubernetes API server. ®

Similar topics


Other stories you might like

  • It's the flu season – FluBot, that is: Surge of info-stealing Android malware detected

    And a bunch of bank-account-raiding trojans also identified

    FluBot, a family of Android malware, is circulating again via SMS messaging, according to authorities in Finland.

    The Nordic country's National Cyber Security Center (NCSC-FI) lately warned that scam messages written in Finnish are being sent in the hope that recipients will click the included link to a website that requests permission to install an application that's malicious.

    "The messages are written in Finnish," the NCSC-FI explained. "They are written without Scandinavian letters (å, ä and ö) and include, for example, the characters +, /, &, % and @ in illogical places in the text to make it more difficult for telecommunications operators to filter the messages. The theme of the text may be that the recipient has received a voicemail message or a message from their mobile operator."

    Continue reading
  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading
  • Microsoft adds Buy Now, Pay Later financing option to Edge – and everyone hates it

    There's always Use Another Browser

    As the festive season approaches, Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the US.

    The feature turned up in recent weeks, first in beta and canary before it was made available "by default" to all users of Microsoft Edge version 96.

    The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks.

    Continue reading

Biting the hand that feeds IT © 1998–2021