Vulnerability in Kubernetes Container Engine Enables Practically Anyone to Escalate Privileges

A software bug has been found in Kubernetes, a popular cloud container management system. The bug, CVE-2018-1002105 (designated "Kubernetes Privilege Escalation Flaw"), provides potential attackers with the option of escalating privileges, according to ZDNet.

Using a specially crafted request, any user can establish a connection through the Kubernetes API server to a backend server. Once the connection has been established, an attacker can send arbitrary requests through that network connection directly to the backend server. Moreover, these requests are authenticated through the Kubernetes API server's Transport Layer Security (TLS) credentials, namely – they attain a solid authentication seal, which makes them difficult to detect.

"Default RBAC policy allows all users (authenticated and unauthenticated) to perform discovery API calls that allow this escalation," the report states. "There is no simple way to detect whether this vulnerability has been used… because the unauthorized requests are made over an established connection (and) do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the Kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server."

According to Red Hat, "The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes cluster. This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization's firewall."

 

You might be interested also

F-16 fighter jets in service with the IAF (Photo: IDF)

Report: US Blocks F-16 Deal between Israel, Croatia

PM Netanyahu discussed the issue with US Secretary of State Mike Pompeo earlier this week in Brussels, Israeli officials told Axios. Pompeo reportedly said US Secretary of Defense James Mattis was the one blocking the $500 million deal