Kubernetes are by far the most popular cloud container system available. So it would only be a matter of time before researchers would find a problem. That moment is here: the first bug is a privilege escalation flaw resulting from a critical bug in CVSS 9.8.
The error is called CVE-2018-1002105 and allows anyone to connect to a Kubernetes Application Programming Interface (API) server via a backend server. Once that connection is established, an attacker can immediately send random requests to that backend. The requests were then confirmed with Transport Layer Security (TLS) credentials.
Serious and untraceable
The problem seems to be potentially large. Red Hat states that with the default settings, any user – whether authenticated or non-authenticated – can submit API requests to enable escalation of rights. Anyone who knows about the bevehttps://www.redhat.com/eniligingsprobleem, can in principle take over a Kubernetes-cluster.
Red Hat researchers write that there is no easy way to determine whether this has actually happened. This is because the requests do not appear in the Kubernetes API server logs. As the requests appear to be approved, they end up in the cubicle or the aggregated API server logs. This makes them indistinguishable from correct server requests.
Solution is possible
The researchers at Red Hat therefore argue that it is possible for anyone to give themselves administrator rights. This is a big problem. Not only can a person steal sensitive data or inject malware, they can also knock down production applications and services hidden behind an organization’s firewall.
There is a solution to the problems. To do this, users must update to one of these versions of Kubernetes: v1.10.11, v1.11.5, v1.12.3 and v1.13.0-rc.1. If your system still uses Kubernetes v1.0.x-1.9.x, you are vulnerable. Solutions are also possible within these systems, but they mean that the use of aggregated API servers is no longer possible and that users are no longer allowed to use pod exex/attach/portfoward permission. Presumably, these solutions have a major impact.
Red Hat reports that all of its Kubernetes-based services and products – including Red Hat OpenShift Container Platform, Red Hat OpenShift Online and Red Hat OpenShift Dedicated – are affected. Red Hat has started rolling out patches and updates. As far as we know, the bugs have not yet been abused, but it is not certain.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.