New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-1002103: Dashboard vulnerable to DNS rebinding attack #3208

Closed
tstromberg opened this Issue Oct 2, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@tstromberg
Collaborator

tstromberg commented Oct 2, 2018

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

minikube exposes the Kubernetes Dashboard service with a configuration that makes it vulnerable to DNS rebinding attacks.

Thanks to Alex Kaskasoli (MWR Labs) for reporting this problem [1]

Vulnerable versions:

  • minikube 0.3.0 - 0.29.0

Vulnerable configurations:

  • VM environments which use a predictable IP address, such as VirtualBox or "None".

Vulnerability impact:

If an attacker gets a victim to visit a malicious web page, the attacker may be able to execute arbitrary code within the victim's minikube cluster.

minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard without violating the Same-Origin Policy.

The attacker can generate a CSRF token from the /api/v1/csrftoken/appdeploymentfromfile endpoint, and pass this token to the /api/v1/appdeploymentfromfile endpoint to create a new Kubernetes Deployment running a payload of their choosing.

This vulnerability can be combined with a VM-specific vulnerability to escape to the host operating system. If minikube mount is in use, the attacker could also directly access the host filesystem.

Fixed versions:

  • Fixed in v0.30.0 by #3210

Fix impact:

Network access to the dashboard service is now provided on an as-needed basis, and is managed by kubectl proxy which enforces HTTP header checks to protect against DNS rebinding attacks.

Mitigations before upgrading:

Disable the dashboard entirely:

kubectl --namespace kube-system delete deployment kubernetes-dashboard

Additional information

@tstromberg tstromberg self-assigned this Oct 2, 2018

@tstromberg tstromberg closed this Oct 5, 2018

@tstromberg tstromberg changed the title from minikube dashboard host checking to CVE-2018-xxx: Dashboard is susceptible to DNS rebinding attack Oct 8, 2018

@tstromberg tstromberg added kind/security and removed kind/bug labels Oct 8, 2018

@tstromberg tstromberg changed the title from CVE-2018-xxx: Dashboard is susceptible to DNS rebinding attack to CVE-2018-TBD: Dashboard is susceptible to DNS rebinding attack Oct 8, 2018

@tstromberg tstromberg changed the title from CVE-2018-TBD: Dashboard is susceptible to DNS rebinding attack to CVE-2018-1002103: Dashboard is susceptible to DNS rebinding attack Oct 9, 2018

@tstromberg tstromberg changed the title from CVE-2018-1002103: Dashboard is susceptible to DNS rebinding attack to CVE-2018-1002103: Dashboard vulnerable to DNS rebinding attack Oct 9, 2018

periklis added a commit to periklis/nixpkgs that referenced this issue Oct 12, 2018

minikube: bump version 0.29.0 -> 0.30.0
This is a fix release for CVE-2018-1002103. More details in
kubernetes/minikube#3208

@periklis periklis referenced this issue Oct 12, 2018

Merged

minikube: bump version 0.29.0 -> 0.30.0 #48256

3 of 9 tasks complete

srhb added a commit to NixOS/nixpkgs that referenced this issue Oct 12, 2018

minikube: bump version 0.29.0 -> 0.30.0
This is a fix release for CVE-2018-1002103. More details in
kubernetes/minikube#3208

(cherry picked from commit e5ee89f)
Backport of #48256

scalavision added a commit to scalavision/nixpkgs that referenced this issue Oct 16, 2018

minikube: bump version 0.29.0 -> 0.30.0
This is a fix release for CVE-2018-1002103. More details in
kubernetes/minikube#3208
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment