|
|
Subscribe / Log in / New account

Critical Kubernetes privilege escalation disclosed

[Posted December 4, 2018 by jake]

A critical flaw in the Kubernetes container orchestration system has been announced. It will allow any user to compromise a Kubernetes cluster by way of exploiting any aggregated API server that is deployed for it. This affects all Kubernetes versions 1.0 to 1.12, but is only fixed in the supported versions (in 1.10.11, 1.11.5, and 1.12.3). "With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection. [...] In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation. [...] There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server." Kubernetes users should obviously update as soon as possible.
to post comments

Critical Kubernetes privilege escalation disclosed

Posted Dec 4, 2018 19:44 UTC (Tue) by fartman (guest, #128226) [Link] (1 responses)

Classic confused deputy.

Critical Kubernetes privilege escalation disclosed

Posted Dec 4, 2018 20:59 UTC (Tue) by naptastic (guest, #60139) [Link]

I had to look this up. Thanks for the free lesson in security! :D

Critical Kubernetes privilege escalation disclosed

Posted Dec 5, 2018 14:02 UTC (Wed) by lkundrak (subscriber, #43452) [Link]

> but is only fixed in the supported versions (in 1.10.11, 1.11.5, and 1.12.3).

That is, only versions released this year?

Critical Kubernetes privilege escalation disclosed

Posted Dec 6, 2018 10:54 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (1 responses)

"In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls"

As a general rule: Try to build things that expose the least possible surface to unauthenticated users.

One of the things that has my grudging admiration in WireGuard is that if you aren't an authenticated user you can't even get it to send anyone (including you) a packet saying "No, you aren't an authenticated user, go away". This obviously will make _debugging_ a WireGuard setup trickier, but it means even in IPv4 bad guys will have no incentive to bang on random IPs looking for a service, since they need the correct credentials to get any response at all.

Critical Kubernetes privilege escalation disclosed

Posted Dec 11, 2018 10:17 UTC (Tue) by nix (subscriber, #2304) [Link]

It also makes amplification attacks harder. :)


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds