Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-2431: Bypass of seccomp profile enforcement #118690

Closed
SaranBalaji90 opened this issue Jun 15, 2023 · 6 comments
Closed

CVE-2023-2431: Bypass of seccomp profile enforcement #118690

SaranBalaji90 opened this issue Jun 15, 2023 · 6 comments
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@SaranBalaji90
Copy link
Contributor

SaranBalaji90 commented Jun 15, 2023

What happened?

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. This issue has been rated LOW (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N) (score: 3.4).

If you have pods in your cluster that use localhost type for seccomp profile but specify an empty profile field, then you are affected by this issue. In this scenario, this vulnerability allows the pod to run in “unconfined” (seccomp disabled) mode. This bug affects Kubelet.

How can we reproduce it (as minimally and precisely as possible)?

This can be reproduced by creating a pod with following sample seccomp Localhost profile -

          localhostProfile: ""

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#seccompprofile-v1-core

Kubernetes version

Affected Versions
v1.27.0 - v1.27.1
v1.26.0 - v1.26.4
v1.25.0 - v1.25.9
<= v1.24.13

Fixed Versions
v1.27.2
v1.26.5
v1.25.10
V1.24.14

Anything else we need to know?

How do I remediate this vulnerability?
To remediate this vulnerability you should upgrade your Kubelet to one of the below mentioned versions.

Acknowledgements
This vulnerability was reported by Tim Allclair, and fixed by Craig Ingram.

@SaranBalaji90 SaranBalaji90 added the kind/bug Categorizes issue or PR as related to a bug. label Jun 15, 2023
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 15, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@SaranBalaji90
Copy link
Contributor Author

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig node
/area kubelet

@k8s-ci-robot k8s-ci-robot added area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/node Categorizes an issue or PR as relevant to SIG Node. area/kubelet official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 15, 2023
@SaranBalaji90
Copy link
Contributor Author

Fix PRs:

#117020
#117116
#117117
#117118
#117147

tzstoyanov added a commit to tzstoyanov/container-tracer that referenced this issue Jun 21, 2023
Fixes a security issue in versions < 1.26.5:
kubernetes/kubernetes#118690

Signed-off-by: Tzvetomir Stoyanov (VMware) <tz.stoyanov@gmail.com>
tzstoyanov added a commit to vmware-archive/container-tracer that referenced this issue Jun 22, 2023
Fixes a security issue in versions < 1.26.5:
kubernetes/kubernetes#118690

Signed-off-by: Tzvetomir Stoyanov (VMware) <tz.stoyanov@gmail.com>
wongma7 pushed a commit to wongma7/kubernetes that referenced this issue Jul 24, 2023
…st profile defined

Description:
* "Returns an error when a Pod or Container's SecurityContext has a localhost seccomp type but an empty
localhostProfile field" (PR description)

Upstream PR, Issue, KEP, etc. links:
* PR: kubernetes#117118
* Commit: 73174f8
* Issue: kubernetes#118690

If this patch is based on an upstream commit, how (if at all) do this patch and the upstream source differ?
* The cherry-pick is from 1.24, so there could be some minor differences.

If this patch's changes have not been added by upstream, why not?
* N/A

Other patches related to this patch:
* None

Changes made to this patch after its initial creation and reasons for these changes:
* None

Kubernetes version this patch can be dropped:
* This patch is not needed in >= 1.24, as it has been added by upstream.
@SalDaniele
Copy link

SalDaniele commented Aug 31, 2023

Hello @SaranBalaji90,

Does this bug affect k8s.io/kubernetes or k8s.io/kubelet? I see the description in this issue explicitly states kubelet is affected, but the remedy provided looks like Kubernetes versioning. Is upgrading k8s.io/kubernetes sufficient to remedy this?

@SalDaniele
Copy link

Hello @SaranBalaji90 , if an application does not use kubernetes but uses kubelet, is remediation required?

i.e.

$ go mod graph | grep kubernetes
$ go mod graph | grep kubelet
github.com/k8snetworkplumbingwg/sriov-network-operator@v1.2.0 k8s.io/kubelet@v0.24.0
github.com/openshift/machine-config-operator@v0.0.1-0.20230118083703-fc27a2bdaa85 k8s.io/kubelet@v0.25.1

The remediation version seems to be for k8s.io/kubernetes, is any upgrade required in k8s.io/kubelet?

@Issacwww
Copy link

Hello @SaranBalaji90, would like to confirm if Kubernetes 1.23 is impacted by this CVE or not?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Development

No branches or pull requests

4 participants