Published in Cloud

Hole found in Kubernetes’ cloud

by on05 December 2018

Seen over Blackburn, Lancashire

The first security hole has been found in the open saucy cloud project software Kubernetes.

For those not in the know, Kubernetes is a popular series of open source projects for automating the deployment, scaling, and management of containerised applications.

The bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw is a CVSS 9.8 critical security hole, which is security talk for a Ramsay Bolton level of bastardry.

Using a network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server.

Once set up, an attacker can send arbitrary requests over the network connection directly to that backend. These requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials.

"In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation."

So if you know about this hole you can take command of the Kubernetes cluster.

What is really bad about the vulnerability is that there is no simple way to detect whether this vulnerability has been used.

Unauthorised requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from the normal authorised and proxied requests via the Kubernetes API server."

Red Hat has warned: "The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes pod. This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization's firewall."

To deal with the flaw you have to upgrade Kubernetes to patched version of Kubernetes v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1.

Anyone daft enough to still using Kubernetes v1.0.x-1.9.x, stop, need to update to a patched version, warned Red Hat.

Jordan Liggitt, the Google software engineer who fixed the bug, said any other mitigations are likely to be disruptive.

No one has used the security hole to attack anyone yet. Darren Shepard, chief architect, and co-founder at Rancher Labs, discovered the bug and reported it using the Kubernetes vulnerability reporting process.


Last modified on 05 December 2018
Rate this item
(0 votes)

Read more about: