CLOUD
CLOUD
CLOUD
‘Critical’ Kubernetes flaw enables attackers to gain administrative control
A recently discovered flaw in the Kubernetes orchestration manager can enable any authorized user to gain administrative privileges that could be used to steal data or bring down production applications. The same vulnerability can also be exploited by unauthorized users to inject malicious code.
The flaw, which affects versions of Kubernetes higher than 1.10 and higher, was publicly disclosed on GitHub a week ago. Red Hat Inc. today posted details on its customer portal and labeled the vulnerability “critical” based on the ease with which it can be exploited. The bug also affects Red Hat OpenShift, which is the company’s version of Kubernetes.
A patch has been issued, and any organization that has automatic updates turned on should already be protected. However, there is no way to know what percentage of Kubernetes users use automatic updates. Large enterprises often test patches before applying them, and so would likely have the option turned off.
Kubernetes orchestrates collections of software containers, which are small, portable virtual machines that are increasingly popular as the building blocks for modern services-based applications. Released to open source just four years ago, Kubernetes is already been adopted by more than 70 percent of enterprises, according to 451 Research LLC.
Red Hat said a malicious user can exploit the flaw either by abusing pod exec privileges granted to a normal user or by attacking the application program interface extensions feature, which provides the service catalog and access to additional features in Kubernetes. The service catalog enables applications running in Kubernetes clusters to easily use external software. A pod is a group of containers that are deployed together on the same host.
With elevated privileges gained through the first exploit, an authenticated attacker can “access any container running on the same node as their pod, allowing them access to sensitive workloads, data and even production applications,” Red Hat said in an advisory.
The second exploit method enables even an unauthenticated user to gain administrative privileges and to create managed services, which could include malicious code.
“There is no simple way to detect whether this vulnerability has been used,” Jordan Liggitt, a staff software engineer at Google LLC, wrote on the GitHub post. “Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log.”
Image: Pixabay
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
