Incomplete Fix Leads to New Kubernetes Bug

Written by

A new high-severity Kubernetes vulnerability has been discovered, according to security announcement on Securelists.org.

As part of the ongoing Kubernetes security audit sponsored by the Cloud Native Computing Foundation, the Kubernetes product security team announced a new high-severity vulnerability (CVE-2019-11246) that impacts kubectl, the command line interface used to run commands against Kubernetes clusters.

“Another security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited. The issue is high severity and upgrading kubectl to Kubernetes 1.12.9, 1.13.6, and 1.14.2 or later is encouraged to fix this issue,” wrote Joel Smith.

To determine whether you are vulnerable, Smith said to run kubectl version --client. Any versions other than client version 1.12.9, 1.13.6 or 1.14.2 are vulnerable and should be updated.

“This vulnerability stems from incomplete fixes for a previously disclosed vulnerability (CVE-2019-1002101). This vulnerability is concerning because it would allow an attacker to overwrite sensitive file paths or add files that are malicious programs, which could then be leveraged to compromise significant portions of Kubernetes environments,” said Wei Lien Dang, co-founder and vice president of product at StackRox.

“This type of exploit shows how a client-side vulnerability could be used to potentially compromise production environments, especially since we have observed that best practices to mitigate against this type of threat vector are not always followed. For example, users may be running kubectl on production nodes or without appropriate role-based access control to limit access to the entire cluster or with elevated local system permissions."

Because upgrades depend on the actions of individuals users, the fix can be harder to enforce, and Dang expects that this will not be the only vulnerability disclosed as a result of the security audit.

“These disclosures, along with the work by the Kubernetes product security team and broader community, will ensure that Kubernetes continues to be the most secure container orchestration platform.”

What’s hot on Infosecurity Magazine?