Vulnerability in Kubernetes Container Engine Enables Practically Anyone to Escalate Privileges
Ami Rojkes Dombe
| 06/12/2018
https://youtu.be/eBJs4mJjEDA
A software bug has been found in Kubernetes, a popular cloud container management system. The bug, CVE-2018-1002105 (designated "Kubernetes Privilege Escalation Flaw"), provides potential attackers with the option of escalating privileges, according to ZDNet.
Using a specially crafted request, any user can establish a connection through the Kubernetes API server to a backend server. Once the connection has been established, an attacker can send arbitrary requests through that network connection directly to the backend server. Moreover, these requests are authenticated through the Kubernetes API server's Transport Layer Security (TLS) credentials, namely – they attain a solid authentication seal, which makes them difficult to detect.
"Default RBAC policy allows all users (authenticated and unauthenticated) to perform discovery API calls that allow this escalation," the report states. "There is no simple way to detect whether this vulnerability has been used… because the unauthorized requests are made over an established connection (and) do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the Kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server."
According to Red Hat, "The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes cluster. This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization's firewall."
https://youtu.be/eBJs4mJjEDA
A software bug has been found in Kubernetes, a popular cloud container management system. The bug, CVE-2018-1002105 (designated "Kubernetes Privilege Escalation Flaw"), provides potential attackers with the option of escalating privileges, according to ZDNet.
Using a specially crafted request, any user can establish a connection through the Kubernetes API server to a backend server. Once the connection has been established, an attacker can send arbitrary requests through that network connection directly to the backend server. Moreover, these requests are authenticated through the Kubernetes API server's Transport Layer Security (TLS) credentials, namely – they attain a solid authentication seal, which makes them difficult to detect.
"Default RBAC policy allows all users (authenticated and unauthenticated) to perform discovery API calls that allow this escalation," the report states. "There is no simple way to detect whether this vulnerability has been used… because the unauthorized requests are made over an established connection (and) do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the Kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server."
According to Red Hat, "The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes cluster. This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization's firewall."
