CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem

[liggitt]

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

This vulnerability allows containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) to access files/directories outside of the volume, including the host’s filesystem.

Thanks to Maxim Ivanov for reporting this problem.

Vulnerable versions:

• Kubernetes 1.3.x-1.6.x
• Kubernetes 1.7.0-1.7.13
• Kubernetes 1.8.0-1.8.8
• Kubernetes 1.9.0-1.9.3

Vulnerable configurations:

• Clusters that allow untrusted users to control pod spec content, and prevent host filesystem access via hostPath volumes (or other volume types) using PodSecurityPolicy (or custom admission plugins)
• Clusters that make use of subpath volume mounts with untrusted containers or containers that can be compromised

Vulnerability impact:
A specially crafted pod spec combined with malicious container behavior can allow read/write access to arbitrary files outside volumes specified in the pod, including the host’s filesystem. This can be accomplished with any volume type, including emptyDir, and can be accomplished with a non-privileged pod (subject to file permissions).

Mitigations prior to upgrading:
Prevent untrusted users from creating pods (and pod-creating objects like deployments, replicasets, etc), or disable all volume types with PodSecurityPolicy (note that this prevents use of service account tokens in pods, and requires use of automountServiceAccountToken: false)

Fixed versions:

• Fixed in v1.7.14 by #61047
• Fixed in v1.8.9 by #61046
• Fixed in v1.9.4 by #61045
• Fixed in master by #61044 (included in v1.10.0-beta.3, will be in v1.10.0)

Action Required:
In addition to upgrading, PodSecurityPolicy objects designed to limit container permissions must completely disable hostPath volumes, as the allowedHostPaths feature does not restrict symlink creation and traversal. Future enhancements (tracked in issue #61043) are required to limit hostPath use to read only volumes or exact path matches before a PodSecurityPolicy can effectively restrict hostPath usage to a given subpath.

Known issues:

• Status and availability of fixes for regressions in subPath volume mount handling are tracked in #61563

[k8s-ci-robot]

@liggitt: There are no sig labels on this issue. Please add a sig label.

A sig label can be added by either:

1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
   e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

2. specifying the label manually: /sig <group-name>
   e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

@liggitt: There are no sig labels on this issue. Please add a sig label.

A sig label can be added by either:

1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
   e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

2. specifying the label manually: /sig <group-name>
   e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-merge-robot]

[MILESTONENOTIFIER] Milestone Issue: Up-to-date for process

@jsafrane @liggitt @msau42

Note: This issue is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
ETA: DD/MM/YYYY
Risks: Complicated fix required

Issue Labels

• sig/storage: Issue will be escalated to these SIGs if needed.
• priority/critical-urgent: Never automatically move issue out of a release milestone; continually escalate to contributor and SIG through all available channels.
• kind/bug: Fixes a bug discovered during the current release.

Help

• Additional instructions
• Commands for setting labels

[k8s-merge-robot]

[MILESTONENOTIFIER] Milestone Issue: Up-to-date for process

@jsafrane @liggitt @msau42

Note: This issue is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
ETA: DD/MM/YYYY
Risks: Complicated fix required

Issue Labels

• sig/storage: Issue will be escalated to these SIGs if needed.
• priority/critical-urgent: Never automatically move issue out of a release milestone; continually escalate to contributor and SIG through all available channels.
• kind/bug: Fixes a bug discovered during the current release.

Help

• Additional instructions
• Commands for setting labels

[dc70184]

This article states that:
•Kubernetes 1.7.0-1.7.13

Does this mean all versions between 1.7.0 and 1.17.13 are vulnerable? For example, is 1.17.6 vulnerable?

[dc70184]

This article states that:
•Kubernetes 1.7.0-1.7.13

Does this mean all versions between 1.7.0 and 1.17.13 are vulnerable? For example, is 1.17.6 vulnerable?

[msau42]

anything between 1.7.0 and 1.7.13 are vulnerable, including 1.7.6

[msau42]

anything between 1.7.0 and 1.7.13 are vulnerable, including 1.7.6