{"id":14335,"date":"2018-12-11T11:16:50","date_gmt":"2018-12-11T10:16:50","guid":{"rendered":"\/?p=14335"},"modified":"2019-03-11T11:18:54","modified_gmt":"2019-03-11T10:18:54","slug":"kubernetes","status":"publish","type":"post","link":"\/de\/security-alert\/kubernetes\/","title":{"rendered":"Kubernetes"},"content":{"rendered":"<p>Original date: 11.12.2018<br \/>\nOverall risk classification: <span class=\"badge badge-danger\">HIGH<\/span><\/p>\n<h3>Overview<\/h3>\n<p>This vulnerability opens the possibility to create a connection through the Kubernetes API server to a backend server. This connection can be used to send arbitrary requests to the backend server. The connection and requests are authenticated with the TLS credentials of the Kubernetes API servers. Depending on the configurations, this could potentially be exploited to run arbitrary code. [1]<br \/>\nTwo days ago, a PoC exploit for this vulnerability was published [2].<\/p>\n<h3>Systems Affected<\/h3>\n<ul>\n<li>Kubernetes v1.0.x-1.9.x<\/li>\n<li>Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)<\/li>\n<li>Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)<\/li>\n<li>Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)<\/li>\n<\/ul>\n<p>Whether your Kubernetes is vulnerable or not also depends on some configurations:<br \/>\nFor Clusters >= 1.6.x that run aggregated API servers that are directly accessible from the Kubernetes API server\u2019s network.<br \/>\nFor Clusters >= 1.0.x that grad pod exec\/attach\/portforward permissions.<br \/>\nMore details at [1].<\/p>\n<h3>Threat<\/h3>\n<p><strong>Risk<\/strong>: <span class=\"badge badge-danger\">HIGH<\/span><br \/>\nTwo possible impacts of this vulnerability were described:<br \/>\nAPI calls to aggregated API server endpoints can be escalated to perform any API request against that aggregated API server. When using the default RBAC policy, this can be performed by authenticated and unauthenticated users.<br \/>\nA pod exec\/attach\/portforward API call can be escalated to perform any API request against the kubelet API on the node specified in the pod spec. This could lead to information disclosure or remote-code-execution.<br \/>\n<strong>Exploitability<\/strong>: <span class=\"badge badge-danger\">HIGH<\/span><br \/>\nThe exploitation against the aggregated API server requires that the aggregated API server is directly accessible from the Kubernetes API server\u2019s network.<br \/>\nFor the exploitation of the pod exec\/attach\/portforward API calls a PoC exploit have been published [2].<br \/>\n<strong>Priority<\/strong> (for affected, internet-exposed systems): <span class=\"badge badge-danger\">HIGH<\/span><br \/>\n<strong>Priority<\/strong> (for internal systems): <span class=\"badge badge-warning\">MEDIUM<\/span><\/p>\n<h3>Mitigation<\/h3>\n<p>Upgrade Kubernetes or check whether the mitigation steps described in [1] can be applied to avoid the upgrade.<\/p>\n<h3>Author<\/h3>\n<p>Martin Sch\u00f6ne<\/p>\n<h3>References<\/h3>\n<p>[1] https:\/\/github.com\/kubernetes\/kubernetes\/issues\/71411<br \/>\n[2] https:\/\/github.com\/evict\/poc_CVE-2018-1002105<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This vulnerability opens the possibility to create a connection through the Kubernetes API server to a backend server. This connection can be used to send arbitrary requests to the backend server.<\/p>\n","protected":false},"author":29,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[64],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Kubernetes - sectest.team<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"\/security-alert\/kubernetes\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kubernetes\" \/>\n<meta property=\"og:description\" content=\"This vulnerability opens the possibility to create a connection through the Kubernetes API server to a backend server. This connection can be used to send arbitrary requests to the backend server.\" \/>\n<meta property=\"og:url\" content=\"\/security-alert\/kubernetes\/\" \/>\n<meta property=\"og:site_name\" content=\"sectest.team\" \/>\n<meta property=\"article:published_time\" content=\"2018-12-11T10:16:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-03-11T10:18:54+00:00\" \/>\n<meta name=\"author\" content=\"Tuyen Nguyen\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tuyen Nguyen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"2\u00a0Minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"\/security-alert\/kubernetes\/\",\"url\":\"https:\/\/sectest.hostpress.me\/security-alert\/kubernetes\/\",\"name\":\"[:en]Kubernetes[:] - sectest.team\",\"isPartOf\":{\"@id\":\"https:\/\/sectest.hostpress.me\/#website\"},\"datePublished\":\"2018-12-11T10:16:50+00:00\",\"dateModified\":\"2019-03-11T10:18:54+00:00\",\"author\":{\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28\"},\"breadcrumb\":{\"@id\":\"https:\/\/sectest.hostpress.me\/security-alert\/kubernetes\/#breadcrumb\"},\"inLanguage\":\"de-DE\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sectest.hostpress.me\/security-alert\/kubernetes\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sectest.hostpress.me\/security-alert\/kubernetes\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"\/de\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kubernetes\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sectest.hostpress.me\/#website\",\"url\":\"https:\/\/sectest.hostpress.me\/\",\"name\":\"sectest.team\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sectest.hostpress.me\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"de-DE\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28\",\"name\":\"Tuyen Nguyen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\/\/sectest.hostpress.me\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g\",\"caption\":\"Tuyen Nguyen\"},\"url\":\"\/de\/security-alert\/author\/tutnguyen\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kubernetes - sectest.team","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sectest.hostpress.me\/security-alert\/kubernetes\/","og_locale":"de_DE","og_type":"article","og_title":"[:en]Kubernetes[:] - sectest.team","og_description":"[:en]This vulnerability opens the possibility to create a connection through the Kubernetes API server to a backend server. This connection can be used to send arbitrary requests to the backend server.[:]","og_url":"\/security-alert\/kubernetes\/","og_site_name":"sectest.team","article_published_time":"2018-12-11T10:16:50+00:00","article_modified_time":"2019-03-11T10:18:54+00:00","author":"Tuyen Nguyen","twitter_misc":{"Verfasst von":"Tuyen Nguyen","Gesch\u00e4tzte Lesezeit":"2\u00a0Minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"\/security-alert\/kubernetes\/","url":"https:\/\/sectest.hostpress.me\/security-alert\/kubernetes\/","name":"[:en]Kubernetes[:] - sectest.team","isPartOf":{"@id":"https:\/\/sectest.hostpress.me\/#website"},"datePublished":"2018-12-11T10:16:50+00:00","dateModified":"2019-03-11T10:18:54+00:00","author":{"@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28"},"breadcrumb":{"@id":"https:\/\/sectest.hostpress.me\/security-alert\/kubernetes\/#breadcrumb"},"inLanguage":"de-DE","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sectest.hostpress.me\/security-alert\/kubernetes\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/sectest.hostpress.me\/security-alert\/kubernetes\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"\/de\/"},{"@type":"ListItem","position":2,"name":"Kubernetes"}]},{"@type":"WebSite","@id":"https:\/\/sectest.hostpress.me\/#website","url":"https:\/\/sectest.hostpress.me\/","name":"sectest.team","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sectest.hostpress.me\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"de-DE"},{"@type":"Person","@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/ac34e9ab3a597646eb101a26405d2c28","name":"Tuyen Nguyen","image":{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/sectest.hostpress.me\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ebe0b5655ad033f17aac019256490ba4?s=96&d=mm&r=g","caption":"Tuyen Nguyen"},"url":"\/de\/security-alert\/author\/tutnguyen\/"}]}},"_links":{"self":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14335"}],"collection":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/comments?post=14335"}],"version-history":[{"count":2,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14335\/revisions"}],"predecessor-version":[{"id":14337,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/posts\/14335\/revisions\/14337"}],"wp:attachment":[{"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/media?parent=14335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/categories?post=14335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sectest.hostpress.me\/de\/wp-json\/wp\/v2\/tags?post=14335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}