Kubernetes API Server Patch DoS Vulnerability (CVE-2019-1002100)

Kubernetes API Server Patch DoS Vulnerability (CVE-2019-1002100)

A new medium severity vulnerability in the open source Kubernetes has been disclosed (CVE-2019-1002100) that can, if exploited, lead to a denial-of-service on the K8s API server, which in turn may lead to the cluster becoming inoperable.

The best mitigation is to remove the “patch” permissions from untrusted users, and we have also updated Kube-Hunter to check if your cluster is vulnerable.

How is this vulnerability enabled? What does it do?

In the Kubernetes API server, which controls the cluster, exposes a patch API that allow direct patching of resources in the cluster. This is easier than pulling resources, updating them and redeploying the cluster – for a detailed explanation and an example, read Dave Kerr’s blog.

One of the ways of implementing such a patch is through JSON files, using the JSON Patch Spec (RFC 6902). Users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g. kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing, causing a Denial of Service on the API Server.

A DoS attack on the API Server means it will not be able to handle additional requests, will become non-responsive, and bring down the entire cluster.

How to Mitigate

Vulnerable versions of Kubernetes are v1.0.0-1.10.x, v1.11.0-1.11.7,  v1.12.0-1.12.5, v1.13.0-1.13.3.

We have upgraded our K8s penetration testing tool kube-hunter to detect and ascertain whether your cluster is vulnerable, and will give you a definitive answer if your vulnerable to CVE-2019-1002100 (as seen below).

CVE-2019-1002100

You can upgrade your kube-apiserver to newer versions, namely v1.11.8, v1.12.6, or v1.13.4, in which it has been fixed.

If you cannot upgrade, or until you do, the best course of action is to remove patch permissions from untrusted users, or generally from admins who don’t really use it. This is done via “verb” definitions in Kubernetes RBAC authorization.

In Conclusion

This CVE was given a score of 6.5 and rated medium severity because despite its potentially serious impact, it is only exploitable by authenticated users with the right authorization. Still, it demonstrates how a simple administrative permission can lead to a DoS attack on a cluster, which highlights once again the tension between the need to make the K8s API server flexible and easy to manage, and its sensitivity as the “keystone” for the whole cluster.

If you haven’t familiarized yourself with kube-hunter, the open source pen-testing tool for Kubernetes, there’s no time like the present!
Kubernetes Security

Amir Jerbi

Amir is the Co-Founder and CTO at Aqua. Amir has 20 years of security software experience in technical leadership positions. Amir co-founded Aqua with the vision of creating a security solution that will be simpler and lighter than traditional security products. Prior to Aqua, he was a Chief Architect at CA Technologies, in charge of the host based security product line, building enterprise grade security products for Global 1000 companies. Amir has 14 cloud and virtual security patents under his belt. In his free time, Amir enjoys backpacking in exotic places.