Kubernetes’ Huge Privilege Escalation Bug Patched, Immediate
The Google-made Kubernetes container-orchestration system is heaven sent for container-based applications, used primarily in the enterprise. Released under the Apache license, this open source implementation rival proprietary brands for security mission-critical, portable applications used in a corporate environment.
Just like any software, Kubernetes is not developed in pristine condition, bugs exists. And these bugs may range from being a remotely annoying recurring error to security-related issues that must be dealt with at the soonest possible time. The later is what CVE-2018-1002105 is all about, a critical privilege escalation bug.
With the bug, an attacker will be able to issue any request to the remote backend, that includes commands and data manipulation. The bug also enabled those arbitrary unauthorized commands to be treated as ‘authentic’ by the system, hence this has potential to really cause damage, deletion of important data and even extraction of data and transferring it to the attacker’s remote storage device.
The CVE describes the bug as: “In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation. here is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server.”
The issue has gathered strong discussions online, most especially in the cybersecurity community, to a point that Redhat, a major Enterprise Linux distro has written an official blog article about it.. “It’s important to note that all Kubernetes-based services and products – including Red Hat OpenShift Container Platform, Red Hat OpenShift Online, and Red Hat OpenShift Dedicated – are affected. Red Hat has begun delivering patches and pushed service updates to affected users, enabling them to address this flaw either immediately or when it best fits their specific risk profile,” explained Ashesh Badani, Vice President and General Manager of Redhat’s Cloud Platform Business.
Being an open-source project, a quick fixed version have been released: v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1. The ball is in the hands of system administrators for the installation of the fixed versions. Of course, delays of upgrading Kubernetes may happen, hence Redhat itself has released mitigation updates that will plug the holes from the RHEL’s end.
“We issued a critical Security Advisory and patches for CVE-2018-1002105, a privilege escalation flaw impacting Kubernetes. The Kubernetes privilege escalation flaw provides an example of how Red Hat helps to address software security at both the community and enterprise level, especially as organizations around the world are looking to lean on emerging technologies like Kubernetes to help fuel digital transformation. The de facto standard in Linux container orchestration, Kubernetes makes it possible to orchestrate containerized applications together, enabling composite services comprised of hundreds, or even thousands, of “simpler” services. These orchestrated applications are often easier to manage, more nimble and more straightforward to maintain than traditional applications,” announced Badani.