CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections #71411
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8, critical)
With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.
Thanks to Darren Shepherd for reporting this problem.
CVE-2018-1002105 is fixed in the following Kubernetes releases:
Note: If you are using binaries or packages provided by a distributor (not the ones provided in the open source release artifacts), you should contact them to determine what versions resolve this CVE. Distributors may choose to provide support for older releases beyond the ones maintained by the open source project.
This section lists possible mitigations to use prior to upgrading. Note that many of the mitigations are likely to be disruptive, and upgrading to a fixed version is strongly recommended.
Mitigations for the anonymous user -> aggregated API server escalation include:
Mitigations for the authenticated user -> aggregated API server escalation include:
Mitigation for the authorized pod exec/attach/portforward -> kubelet API escalation:
There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server.
The text was updated successfully, but these errors were encountered:
Because the kube-apiserver <-> kubelet connection was established with the kube-apiserver's TLS credentials, which are broadly authorized against the kubelet API. The kubelet would authorize the kube-apiserver to make that request, and allow it.