icon

We found results for “

CVE-2018-1002105

Date: December 5, 2018

Overview

Kubernetes (K8s) is a widely used open source container orchestration platform that automates the process of deploying, scaling, and managing containerized applications. Affected versions of this platform are vulnerable to a privilege escalation issue in which unprivileged requests are not fully terminated. This way, a remote attacker can elevate privileges and gain admin ownership of a cluster.

Details

The source of the CVE-2018-1002105 vulnerability is the Kubernetes API server, aka kube-apiserver, which is the central touchpoint where all Kubernetes operations are done. The API server is the gateway to the Kubernetes cluster, and it offers a wide range of capabilities by functioning as a reverse proxy to the kubelet deployed on the computing nodes. The server also functions as a reverse proxy when Kubernetes is extended using the aggregation layer. The aggregation layer enables the platform to be extended with other third-party APIs, beyond the ones provided by the built-in Kubernetes APIs. There are robust authentication and authorization mechanisms that safeguard access to the Kubernetes API server. However, this CVE enables a perpetrator to send valid, authorized request to the API server and circumvent the authorization logic found in any sequenced request. This allows the attacker to elevate the victim’s privileges. Attackers can exploit this vulnerability in two different ways. First, they can use the normal pod exec/attach/portforward privileges of a normal authenticated user to increase privileges and become admins. Also, they can use the unauthenticated privileges of a remote user to access the system and elevate privileges via the aggregated API server. By default, any user (either unauthenticated or authenticated) can carry out discovery API calls, which can potentially lead to this privilege escalation.

Affected Environments

Here are the versions of Kubernetes affected by this CVE (their fixes are also provided): Kubernetes v1.0.x-1.9.x (no fix available) Kubernetes v1.10.0-1.10.10 (fixed in version 1.10.11) Kubernetes v1.11.0-1.11.4 (fixed in version 1.11.5) Kubernetes v1.12.0-1.12.2 (fixed in version 1.12.3)

Remediation

Disallow the use of all aggregated API servers Pass --anonymous-auth=false command to the Kubernetes API server to disable any anonymous requests Disallow pod exec/attach/portforward privileges for users who should not have full rights to access the kubelet API.

Prevention

Upgrade to the latest version of Kubernetes Implement security controls on every Kubernetes node

Language: Go

Good to know:

icon

Error Handling

CWE-388

Improper Privilege Management

CWE-269
icon

Upgrade Version

Upgrade to version 1.10.11,1.11.5,1.12.3

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information:

Related Resources (34)