kubescape · 0xquark · Feb 9, 2023 · Feb 9, 2023 · Feb 13, 2023 · Feb 17, 2023
diff --git a/controls/C-0238-detectaggregatedapiserverredirection.json b/controls/C-0238-detectaggregatedapiserverredirection.json
@@ -0,0 +1,17 @@
+{
+    "name": "Kubernetes Aggregated API Server Redirection Vulnerability",
+    "attributes": {
+        "armoBuiltin": true
+    },
+    "references": [
+    ],
+    "description": "A security vulnerability has been discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL, potentially compromising client credentials and leading to unexpected actions.",
+    "remediation": "Upgrade to a fixed version of kube-apiserver, ensure that only trusted administrators can create or modify APIService configuration, and follow security best practices with aggregated API servers.",
+    "rulesNames": [
+        "detect-aggregated-api-server-redirection"
+    ],
+    "long_description": "Kubernetes aggregated API servers are a trusted part of the control plane, but this vulnerability allows them to redirect client traffic to any URL, potentially compromising client credentials and leading to unexpected actions. To mitigate this vulnerability, it is recommended to upgrade to a fixed version of kube-apiserver, and to ensure that only trusted administrators can create or modify APIService configuration, and follow security best practices with any aggregated API servers that may be in use. The fix impacts redirect functionality from aggregated API servers, but this behavior can be restored by setting the --aggregator-reject-forwarding-redirect Kubernetes API server flag to false.",
+    "test": "Run the following command to identify if aggregated API servers are in use: kubectl get apiservices.apiregistration.k8s.io -o=jsonpath='{range .items[?(@.spec.service)]}{.metadata.name}{\n}{end}'. Check the version of kube-apiserver and ensure it is a fixed version. Monitor the Kubernetes audit log for evidence of redirection.",
+    "controlID": "C-0238",
+    "baseScore": 5.1
+    }
diff --git a/rules/detect-aggregated-api-server-redirection/raw.rego b/rules/detect-aggregated-api-server-redirection/raw.rego
@@ -0,0 +1,15 @@
+package armo_builtins
+
+import input.spec as apiservice_spec
+import input.metadata.name as api_name
+import future.keywords
+
+vulnerable_version {
+  ver := ["1.21.14", "1.22.0-1.22.13", "1.23.0-1.23.10", "1.24.0-1.24.4", "1.25.0"]
+  ver[_] = api_name
+}
+
+deny[msg] {
+  vulnerable_version
+  msg := sprintf("API server %s is vulnerable to CVE-2022-3172, an aggregated API server is redirecting client traffic to any URL.", [api_name])
+}
diff --git a/rules/detect-aggregated-api-server-redirection/rule.metadata.json b/rules/detect-aggregated-api-server-redirection/rule.metadata.json
@@ -0,0 +1,27 @@
+{
+    "name": "detect-aggregated-api-server-redirection",
+    "attributes": {
+      "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          "apiregistration.k8s.io"
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "APIService"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "controlConfigInputs": [
+    ],
+    "description": "Detects if an aggregated API server is vulnerable to redirection as described in CVE-2022-3172.",
+    "remediation": "Upgrade to a fixed version of kube-apiserver or follow security best practices with any aggregated API servers that may be in use.",
+    "ruleQuery": "armo_builtins"
+}
diff --git a/rules/detect-aggregated-api-server-redirection/test/expected.json b/rules/detect-aggregated-api-server-redirection/test/expected.json
@@ -0,0 +1,21 @@
+[  
+    {
+        "alertMessage": "API server 1.21.14 is vulnerable to CVE-2022-3172, an aggregated API server is redirecting client traffic to any URL.",    
+        "failedPaths": [],
+        "fixPaths": [],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 5.1,
+        "alertObject": {
+         "k8sApiObjects": [
+            {
+             "apiVersion": "apiregistration.k8s.io/v1",
+             "kind": "APIService",
+             "metadata": {
+                "name": "1.21.14"
+            }
+            }
+        ]
+    }
+  }
+]
diff --git a/rules/detect-aggregated-api-server-redirection/test/input/api_service.yaml b/rules/detect-aggregated-api-server-redirection/test/input/api_service.yaml
@@ -0,0 +1,4 @@
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: "1.21.14"