Kubernetes discloses critical privilege escalation flaw

Container orchestration tool Kubernetes has disclosed a critical security issue that “makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes pod.”

The flaw affects all Kubernetes-based services and products, according to a Red Hat advisory, and has been given the number CVE-2018-1002105.

“The privilege escalation flaw ... is a big deal,” Red Hat said.

“Not only can [an] actor [use it to] steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organisation’s firewall.”

The flaw has been fixed in Kubernetes versions v1.10.11, v1.11.5 and v1.12.3. Users of earlier versions of Kubernetes, however, will likely have to upgrade to a newer version to be safe.

Kubernetes maintainers noted that exploitation of the privilege escalation flaw was not easy to detect,

“With a specially crafted request, users that are allowed to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection,” they said.

“There is no simple way to detect whether this vulnerability has been used.

“Because the unauthorised requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log.

“The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorised and proxied requests via the Kubernetes API server.”

Kubernetes said that the only known mitigations, aside from upgrading, would be to “suspend use of aggregated API servers” and remove permissions from “users that should not have full access to the kubelet API” - though maintainers noted both could be disruptive.

Google said it had updated “all Google Kubernetes Engine (GKE) masters ... affected by these vulnerabilities”.

“We have already upgraded clusters to the latest patch versions. No action is required,” it said in an advisory.

Kubernetes has become the standard for many IT shops that need to orchestrate Linux containers, for example, that make up or contribute components to various software applications.