Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-2727, CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin #118640

Closed
ritazh opened this issue Jun 13, 2023 · 10 comments
Closed

CVE-2023-2727, CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin #118640

ritazh opened this issue Jun 13, 2023 · 10 comments
Labels
area/apiserver area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/auth Categorizes an issue or PR as relevant to SIG Auth. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@ritazh
Copy link
Member

ritazh commented Jun 13, 2023
edited
Loading

CVE-2023-2727: Bypassing policies imposed by the ImagePolicyWebhook admission plugin

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

A security issue was discovered in Kubernetes where users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.

Am I vulnerable?

Clusters are impacted by this vulnerability if all of the following are true:

  1. The ImagePolicyWebhook admission plugin is used to restrict use of certain images
  2. Pods are using ephemeral containers.

Affected Versions

  • kube-apiserver v1.27.0 - v1.27.2
  • kube-apiserver v1.26.0 - v1.26.5
  • kube-apiserver v1.25.0 - v1.25.10
  • kube-apiserver <= v1.24.14

How do I mitigate this vulnerability?

This issue can be mitigated by applying the patch provided for the kube-apiserver component. This patch prevents ephemeral containers from using an image that is restricted by ImagePolicyWebhook.

Note: Validation webhooks (such as Gatekeeper and Kyverno) can also be used to enforce the same restrictions.

Fixed Versions

  • kube-apiserver v1.27.3
  • kube-apiserver v1.26.6
  • kube-apiserver v1.25.11
  • kube-apiserver v1.24.15

Detection

Pod update requests using an ephemeral container with an image that should have been restricted by an ImagePolicyWebhook will be captured in API audit logs. You can also use kubectl get pods to find active pods with ephemeral containers running an image that should have been restricted in your cluster with this issue.

Acknowledgements

This vulnerability was reported by Stanislav Láznička, and fixed by Rita Zhang.

CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin

CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.

Am I vulnerable?

Clusters are impacted by this vulnerability if all of the following are true:

  1. The ServiceAccount admission plugin is used. Most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount
  2. The kubernetes.io/enforce-mountable-secrets annotation is used by a service account. This annotation is not added by default.
  3. Pods are using ephemeral containers.

Affected Versions

  • kube-apiserver v1.27.0 - v1.27.2
  • kube-apiserver v1.26.0 - v1.26.5
  • kube-apiserver v1.25.0 - v1.25.10
  • kube-apiserver <= v1.24.14

How do I mitigate this vulnerability?

This issue can be mitigated by applying the patch provided for the kube-apiserver component. The patch prevents ephemeral containers from bypassing the mountable secrets policy enforced by the ServiceAccount admission plugin.

Fixed Versions

  • kube-apiserver v1.27.3
  • kube-apiserver v1.26.6
  • kube-apiserver v1.25.11
  • kube-apiserver v1.24.15

Detection

Pod update requests using an ephemeral container that exploits this vulnerability with unintended secret will be captured in API audit logs. You can also use kubectl get pods to find active pods with ephemeral containers running with a secret that is not referenced by the service account in your cluster.

Acknowledgements

This vulnerability was reported by Rita Zhang, and fixed by Rita Zhang.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig auth
/area apiserver
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 13, 2023
@tamilselvan1102
Copy link

please describe the issue

@tamilselvan1102
Copy link

/triage needs-information

@k8s-ci-robot k8s-ci-robot added the triage/needs-information Indicates an issue needs more information in order to work on it. label Jun 14, 2023
@ritazh ritazh changed the title Add ephemeralcontainer to imagepolicy securityaccount admission plugin CVE-2023-2727, CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin Jun 15, 2023
@ritazh
Copy link
Member Author

ritazh commented Jun 15, 2023

Fix PRs:

@ritazh ritazh closed this as completed Jun 15, 2023
@BenTheElder BenTheElder added kind/bug Categorizes issue or PR as related to a bug. area/security area/apiserver sig/auth Categorizes an issue or PR as relevant to SIG Auth. committee/security-response Denotes an issue or PR intended to be handled by the product security committee. triage/accepted Indicates an issue or PR is ready to be actively worked on. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) labels Jun 15, 2023
@k8s-ci-robot k8s-ci-robot removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 15, 2023
@BenTheElder
Copy link
Member

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig auth
/area apiserver

[You have to place prow commands in a new comment, it ignores comment edit events when looking for slash commands to avoid unintentionally triggering them on comment edits]

@BenTheElder BenTheElder removed the triage/needs-information Indicates an issue needs more information in order to work on it. label Jun 15, 2023
@BenTheElder
Copy link
Member

@tamilselvan1102 it is standard practice in Kubernetes that private security issues start as a placeholder issue with no details until the patch is released and the details are later edited in. They usually just say "placeholder issue" filed by an organization member.

@tamilselvan1102
Copy link

@BenTheElder
Understood, Thank you.

@jsafrane
Copy link
Member

nit: it would be nice to acknowledge the issue reporter.

@ritazh
Copy link
Member Author

ritazh commented Jun 15, 2023

Updated Acknowledgements section. Thanks!

@dongjiang1989 dongjiang1989 mentioned this issue Jun 19, 2023
Closed
@knqyf263 knqyf263 mentioned this issue Sep 28, 2023
Merged
@PushkarJ
Copy link
Member

/retitle CVE-2023-2727,CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

(To fix this issue kubernetes/website#47003 in RSS CVE feed by removing space after comma)

@k8s-ci-robot k8s-ci-robot changed the title CVE-2023-2727, CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin CVE-2023-2727,CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin Jun 28, 2024
@PushkarJ PushkarJ mentioned this issue Jun 28, 2024
Closed
@PushkarJ
Copy link
Member

PushkarJ commented Jul 1, 2024

/retitle CVE-2023-2727, CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

(Resetting back to original as kubernetes/website#47003 is now fixed and accepts any number of spaces before and after comma)

@k8s-ci-robot k8s-ci-robot changed the title CVE-2023-2727,CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin CVE-2023-2727, CVE-2023-2728: Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/apiserver area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/auth Categorizes an issue or PR as relevant to SIG Auth. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
Milestone
No milestone
Development

No branches or pull requests
6 participants
@BenTheElder @jsafrane @ritazh @PushkarJ @tamilselvan1102 @k8s-ci-robot