Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

09:45 AM
Larry Loeb
Larry Loeb
Larry Loeb

Vulnerabilities Found in Kubernetes Container System

Trouble with tarballs and more.

Kubernetes is an open source container orchestration system for automating application deployment, scaling and management. Maintained by the Cloud Native Computing Foundation, it originated with Google.

It has been announced that there are security vulnerabilities that have been discovered in the system. CVE-2019-1002101 is determined to be a high severity issue, and CVE-2019-9946 is a medium severity issue.

The first vulnerability is centered around the "kubectl cp" command. It could replace or delete files on a user machine. Indeed, an attacker could write files to any path on the user's machine. It is only limited by the system permissions that a local user has been granted.

The command is used to copy files and directories between containers running in the Kubernetes pods, and the user's machine. It uses the tar binary inside a container for the actual copying. First, it creates a tarball from it, copies that over to the target machine and un-tars it to complete the move.

But someone can place a malicious tarball in a container, and that will be copied over without question. It seems that since the previous fix for CVE-2018-1002100, the un-tar function calls the "cp.go:clean" to strip path traversals contained in the tarball. Ariel Zelivansky of Twistlock realized that function can both create and follow symbolic links, which means there are no limits on the paths that can be created for the files embedded in the tarball. Bingo. Files can be put anywhere by an attacker.

To determine if they are affected, a user must run "kubectl version —client". If it does not say version 1.11.9, 1.12.7, 1.13.5 and 1.14.0 or newer then the version is vulnerable. Patch/upgrade is the way to obtain these newer and corrected versions.

The second vulnerability (CVE-2019-9946) involves interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes so a fixed Kubernetes is required to mitigate.

The issue was identified in a configuration of kube-proxy in IPVS mode along with a pod using a HostPort. However, other network configurations may use the CNI portmap plugin as well so the problem may extend beyond the identified one.

Etienne Champetier of Anevia first identified the problem, which has to do with the way in which the iptables are set up. Simply, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. That means bad matches could be made when it is running.

Switching the portmap plugin to append its rules, rather than prepend, means that traffic will be processed by KUBE-SERVICES rules first, which is how things are intended to go.

Ali Golshan, CTO and co-founder of StackRox, told Security Now in a message that, "While there is no evidence of either vulnerability being exploited in the wild, both CVEs could be leveraged by malicious actors to execute a number of common attacks on Kubernetes environments, i.e. ransomware and crypto mining attacks, data theft, and/or service disruption. Should an attacker exploit these vulnerabilities in an enterprise environment, the business impact could be massive, not limited to financial catastrophe, reputational damage, or legal consequences."

As far as the second vulnerability goes, he has a more sanguine view. "The good news is that most users will not be impacted with CVE-2019-9946," he said, "since support for network plugins in Kubernetes is still in alpha. However, if you are using the portmap CNI plugin to run HostPorts in your Kubernetes configuration and are unable to upgrade your cluster, you should limit the use of HostPorts in the interim, or use a plugin other than portmap for port-mapping."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.