A new medium severity vulnerability in the open source Kubernetes has been disclosed (CVE-2019-1002100) that can, if exploited, lead to a denial-of-service on the K8s API server, which in turn may lead to the cluster becoming inoperable.
The best mitigation is to remove the “patch” permissions from untrusted users, and we have also updated Kube-Hunter to check if your cluster is vulnerable.
In the Kubernetes API server, which controls the cluster, exposes a patch API that allow direct patching of resources in the cluster. This is easier than pulling resources, updating them and redeploying the cluster – for a detailed explanation and an example, read Dave Kerr’s blog.
One of the ways of implementing such a patch is through JSON files, using the JSON Patch Spec (RFC 6902). Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.
A DoS attack on the API Server means it will not be able to handle additional requests, will become non-responsive, and bring down the entire cluster.
Vulnerable versions of Kubernetes are v1.0.0-1.10.x, v1.11.0-1.11.7, v1.12.0-1.12.5, v1.13.0-1.13.3.
We have upgraded our K8s penetration testing tool kube-hunter to detect and ascertain whether your cluster is vulnerable, and will give you a definitive answer if your vulnerable to CVE-2019-1002100 (as seen below).
You can upgrade your kube-apiserver to newer versions, namely v1.11.8, v1.12.6, or v1.13.4, in which it has been fixed.
If you cannot upgrade, or until you do, the best course of action is to remove patch permissions from untrusted users, or generally from admins who don’t really use it. This is done via “verb” definitions in Kubernetes RBAC authorization.
This CVE was given a score of 6.5 and rated medium severity because despite its potentially serious impact, it is only exploitable by authenticated users with the right authorization. Still, it demonstrates how a simple administrative permission can lead to a DoS attack on a cluster, which highlights once again the tension between the need to make the K8s API server flexible and easy to manage, and its sensitivity as the “keystone” for the whole cluster.
If you haven’t familiarized yourself with kube-hunter, the open source pen-testing tool for Kubernetes, there’s no time like the present!
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.