CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem #60813

Closed
liggitt opened this Issue Mar 5, 2018 · 4 comments

Comments

@liggitt
Member

liggitt commented Mar 5, 2018

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

This vulnerability allows containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) to access files/directories outside of the volume, including the host’s filesystem.

Thanks to Maxim Ivanov for reporting this problem.

Vulnerable versions:

  • Kubernetes 1.3.x-1.6.x
  • Kubernetes 1.7.0-1.7.13
  • Kubernetes 1.8.0-1.8.8
  • Kubernetes 1.9.0-1.9.3

Vulnerable configurations:

  • Clusters that allow untrusted users to control pod spec content, and prevent host filesystem access via hostPath volumes (or other volume types) using PodSecurityPolicy (or custom admission plugins)
  • Clusters that make use of subpath volume mounts with untrusted containers or containers that can be compromised

Vulnerability impact:
A specially crafted pod spec combined with malicious container behavior can allow read/write access to arbitrary files outside volumes specified in the pod, including the host’s filesystem. This can be accomplished with any volume type, including emptyDir, and can be accomplished with a non-privileged pod (subject to file permissions).

Mitigations prior to upgrading:
Prevent untrusted users from creating pods (and pod-creating objects like deployments, replicasets, etc), or disable all volume types with PodSecurityPolicy (note that this prevents use of service account tokens in pods, and requires use of automountServiceAccountToken: false)

Fixed versions:

  • Fixed in v1.7.14 by #61047
  • Fixed in v1.8.9 by #61046
  • Fixed in v1.9.4 by #61045
  • Fixed in master by #61044 (included in v1.10.0-beta.3, will be in v1.10.0)

Action Required:
In addition to upgrading, PodSecurityPolicy objects designed to limit container permissions must completely disable hostPath volumes, as the allowedHostPaths feature does not restrict symlink creation and traversal. Future enhancements (tracked in issue #61043) are required to limit hostPath use to read only volumes or exact path matches before a PodSecurityPolicy can effectively restrict hostPath usage to a given subpath.

Known issues:

  • Status and availability of fixes for regressions in subPath volume mount handling are tracked in #61563

@liggitt liggitt self-assigned this Mar 5, 2018

@k8s-ci-robot

This comment has been minimized.

Show comment Hide comment
@k8s-ci-robot

k8s-ci-robot Mar 5, 2018

Collaborator

@liggitt: There are no sig labels on this issue. Please add a sig label.

A sig label can be added by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Collaborator

k8s-ci-robot commented Mar 5, 2018

@liggitt: There are no sig labels on this issue. Please add a sig label.

A sig label can be added by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-merge-robot

This comment has been minimized.

Show comment Hide comment
@k8s-merge-robot

k8s-merge-robot Mar 12, 2018

Collaborator

[MILESTONENOTIFIER] Milestone Issue: Up-to-date for process

@jsafrane @liggitt @msau42

Note: This issue is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
ETA: DD/MM/YYYY
Risks: Complicated fix required
Issue Labels
  • sig/storage: Issue will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move issue out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/bug: Fixes a bug discovered during the current release.
Help
Collaborator

k8s-merge-robot commented Mar 12, 2018

[MILESTONENOTIFIER] Milestone Issue: Up-to-date for process

@jsafrane @liggitt @msau42

Note: This issue is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
ETA: DD/MM/YYYY
Risks: Complicated fix required
Issue Labels
  • sig/storage: Issue will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move issue out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/bug: Fixes a bug discovered during the current release.
Help

k8s-merge-robot added a commit that referenced this issue Mar 12, 2018

Merge pull request #61044 from liggitt/subpath-master
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

subpath fixes

fixes #60813 for master / 1.10

```release-note
Fixes CVE-2017-1002101 - See https://issue.k8s.io/60813 for details
```

@liggitt liggitt changed the title from CVE-2017-1002101 to CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem Mar 12, 2018

@mikesplain mikesplain referenced this issue in kubernetes/kops Mar 12, 2018

Merged

Bump alpha channels for CVE #4666

@gh1001 gh1001 referenced this issue in openshift/origin Mar 12, 2018

Closed

build 3.7.1 rpms #18184

@liggitt liggitt referenced this issue Mar 22, 2018

Open

subPath volume mount umbrella issue #61563

5 of 7 tasks complete
@dc70184

This comment has been minimized.

Show comment Hide comment
@dc70184

dc70184 Mar 23, 2018

This article states that:
•Kubernetes 1.7.0-1.7.13

Does this mean all versions between 1.7.0 and 1.17.13 are vulnerable? For example, is 1.17.6 vulnerable?

dc70184 commented Mar 23, 2018

This article states that:
•Kubernetes 1.7.0-1.7.13

Does this mean all versions between 1.7.0 and 1.17.13 are vulnerable? For example, is 1.17.6 vulnerable?

@msau42

This comment has been minimized.

Show comment Hide comment
@msau42

msau42 Mar 23, 2018

Member

anything between 1.7.0 and 1.7.13 are vulnerable, including 1.7.6

Member

msau42 commented Mar 23, 2018

anything between 1.7.0 and 1.7.13 are vulnerable, including 1.7.6

@liggitt liggitt referenced this issue in kubernetes/website Apr 17, 2018

Closed

Issue with k8s.io/security/ #8065

1 of 2 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment