Lucene search

PurelyappliedH1:952771

HistoryAug 06, 2020 - 5:42 p.m.

Kubernetes: CVE-2019-11250 remains in effect.

2020-08-0617:42:21

purelyapplied

hackerone.com

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

43.4%

JSON

Report Submission Form

Summary:

“CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs” remains in effect.

Kubernetes Version:

Effects at least all versions since 1.4.

This was determined with some git archaeology. This was determined by following the code snippet from it’s current location in kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go
The snippet was last meaningfully modified
It’s current location in The snippet remains relatively unchanged since

Component Version:

I’m not sure.

Steps To Reproduce:

Spin up a cluster with high verbosity: klog.V(9).Enabled()
Watch logs round_trippers.go curl -k -v -X<> -H "Authorization: <token>" <...>

I was having trouble getting a cluster spun up, so I have not managed a live reproduction.

Supporting Material/References:

[Issue #81146: Kubernetes 3rd Party Security Audit Findings]
(https://github.com/kubernetes/kubernetes/issues/81146)

[Issue #81114: CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs]
(https://github.com/kubernetes/kubernetes/issues/81114)

[Partial fix for #81114: PR #81330]
(https://github.com/kubernetes/kubernetes/pull/81330).
Note that only debuggingRoundTripper.RoundTrip only masks headers in the if rt.levels[debugRequestHeaders] block, exposure is also present in the
if rt.levels[debugCurlCommand] {klog.Infof("%s", reqInfo.toCurl())} preceding it.

At kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go:416:

func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
	reqInfo := newRequestInfo(req)

	if rt.levels[debugJustURL] {
		klog.Infof("%s %s", reqInfo.RequestVerb, reqInfo.RequestURL)
	}
	if rt.levels[debugCurlCommand] {
		klog.Infof("%s", reqInfo.toCurl())
	}
	if rt.levels[debugRequestHeaders] {
		klog.Infof("Request Headers:")
		for key, values := range reqInfo.RequestHeaders {
			for _, value := range values {
				value = maskValue(key, value)
				klog.Infof("    %s: %s", key, value)
			}
		}
	}
	// &lt;function continues&gt;
}

At kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go:338:

// toCurl returns a string that can be run as a command in a terminal (minus the body)
func (r *requestInfo) toCurl() string {
	headers := ""
	for key, values := range r.RequestHeaders {
		for _, value := range values {
			headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
		}
	}

	return fmt.Sprintf("curl -k -v -X%s %s '%s'", r.RequestVerb, headers, r.RequestURL)
}

Correction will be a one-line diff to use maskValue in this loop as well.

Impact

> Alice logs into a Kubernetes cluster and is issued a Bearer token. The system logs her
token. Eve, who has access to the logs but not the production Kubernetes cluster, replays
Alice’s Bearer token, and can masquerade as Alice to the cluster.