CyberWire Daily - Breaking down a high-severity vulnerability in Kubernetes. [Research Saturday]
Episode Date: April 13, 2024Tomer Peled, a Security & Vulnerability Researcher from Akamai is sharing their work on "What a Cluster: Local Volumes Vulnerability in Kubernetes." This research focuses on a high-severity vulnerabil...ity in Kubernetes, allowing for remote code execution with system privileges on all Windows endpoints within a Kubernetes cluster. The research states "The discovery of this vulnerability led to the discovery of two others that share the same root cause: insecure function call and lack of user input sanitization." The research can be found here: What a Cluster: Local Volumes Vulnerability in Kubernetes Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
YAML files are Kubernetes way of doing everything from configuring stuff to creating pods to everything else.
While it parses some parameters in this YAML file, there may be some parameters who are unsanitized and mail it to command injection opportunities and to command execution from the Kubernetes service
on the node or on the pod or on the cluster itself.
That's Tomer Peled, a security and vulnerability researcher at Akamai.
The research we're discussing today is titled, What a Cluster? Local Volumes Vulnerability in Kubernetes.
A few months back, we put up a blog about another CV, which led to a system RC over every Windows node on the cluster.
which led to a system RC over every Windows node on the cluster.
On the tail end of that research, we found out another CMD command execution that could lead to a command injection.
And this research is the culmination of all of this research that we've done since the last CV.
Sorry.
Yeah. Well, let's dig into it here.
Before we do, though, can you give us a little bit of the background
for folks who might not be all that familiar with Kubernetes?
What do they need to know going into today's explanation of your research?
So Kubernetes is a container orchestration framework.
It's being used by a lot of developers.
It's being used by a lot of developers.
And today, we are going to talk about command injection and its parsing mechanism.
So, yeah, so YAML files are a commonest way of doing everything
from configuring stuff to creating pods to everything else.
While it parses some parameters in this XML file,
there may be some parameters who are unsanitized and may lead to command injection
opportunities and to command execution from Kubernetes service on the node or on the pod or
on the cluster itself. When we're talking about sanitization here,
what exactly do we mean?
Sanitization in a broad sense is
when an application tries to find out
if there is anything malicious going on
while parsing a command.
In this sense, in Kubernetes,
sanitization means that every parameter in a YAML file is going to be checked to see if anything malicious is going into the cluster while creating a pod, while creating a configuration, while creating secrets.
So every time one of these operations is being executed, it needs to be sanitized.
is being executed, it needs to be sanitized.
We found out that it's not actually the case,
and in some cases it will lead to an RC,
which is a remote code execution over Windows nodes on the cluster.
Well, digging into some of the specifics
of the research here,
you start out talking about Kubernetes volumes
and point out that it's important for people
to understand what we're talking about there.
Can you explain that for us?
Yeah, sure.
So Kubernetes volumes are the way that Kubernetes
facilitates the share of data between a pod
and another computer, another node itself,
another host, or from the host to the pod.
So, for example, you can take a Git repository and the pod itself
and a Git volume will actually link between the repository and the pod.
Let's dig into the vulnerability itself here.
What's going on?
Okay, so in this vulnerability, a parameter inside the local volume feature,
which is one of the volumes that you can create, that you can use.
Local volumes, if we can just talk a little bit about what local volumes are,
local volumes are a way to share a drive, not a folder or a Git repository,
just a drive between the host and the pod itself.
So if you want to share your D drive or Z drive
or any other drive, you would use local volumes.
So this vulnerability occurs
when the Kubelet service on a Windows node
tries to symlink between the drive and the pod.
It will actually try to execute a command,
and we can, as an attacker, use it to inject.
Instead of a drive letter, we can inject anything we want,
and it will be executed on the pod or on the node.
Oh, wow, that's interesting.
pod or on the node.
Oh, wow, that's interesting.
So what's going on in your estimation that leads to this functionality?
I mean, is this purely an error
that it shouldn't be looking at this as code?
Oh, sure.
So Kubernetes itself actually has the problem in it,
not Windows.
It will try to run a CMD command.
The CMD command will try to CM link between a drive and
a pod location. The pod location it will take from itself
in the creation process. And the drive letter is something that you
can customize as a user. So actually
it will happen from, as an attacker, we will be able to do it from a parameter
standpoint.
And what happens is that Kubernetes will not check for anything while creating this volume.
So you can enter anything you want in the drive letter or in the path parameter, and
it will just take it into the CMD.
And what you can do with that is that while CMD is running,
it can concatenate between several commands.
When you do an end-to-end command,
it will actually try to run this command
before trying to do the actual command itself, the actual seam link.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent
billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
So what is to be done here?
How can folks protect themselves against this?
Okay, so there are a few ways to mitigate this vulnerability.
One of them is to, of course, the main one is to patch your cluster to a version higher than 1.28.4.
Another way to do this, to try and mitigate or block this kind of vulnerability
is by using an OPA rule, which OPA is Open Policy Agent.
And another way is to use RBAC or R-B-A-C,
Role-Based Access Control.
And with R-B-A-C, you will be able to determine
which user can do which actions,
and you will be able to more granularly control what
you will be able to do and what you can see. So you want to be able to do
a local volume attachment or symlink. On the OPA side you will be able to see
what's going on what's going inside the cluster and what's being created. So we'll
be able to block it from that end. But majorly, patching to a higher version
is going to be your main course of action.
One of the things you point out in the conclusion
in your research here is,
you say this is a great example
of why the shared responsibility model
is crucial in security.
Can you explain that for us?
Sure.
So security administrator
needs to be alert for everything that's going on
in the cluster or in Kubernetes itself.
And they can take outside precautions to help avoid a serious
security impact on their organizations. vulnerability in Kubernetes. We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
The CyberWire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilby.
And I'm Dave Bittner.
Thanks for listening.