What is CVE-2018-1002105?
December 2018 by Red Hat
The flaw allows non-privileged users to access Kubernetes clusters and associated data that they otherwise would not be able to access. Malicious actors can exploit the flaw in two ways - the first involves abusing pod exec privileges granted to a normal user, and the second involves attacking the API extensions feature which provides the service catalog and access to additional features in Kubernetes 1.6 and later.
How does Red Hat rate the vulnerability?
Red Hat Product Security rates this vulnerability as criticalbased on the ease of exploitation and potential impact on production operations.
How does the Kubernetes privilege escalation flaw affect IT operations? By exploiting this flaw, a malicious user with Pod exec/attach/portforward privileges escalates their privilege to cluster-admin, and any API call to a compute node Kubelet API can be achieved. This means that the user can access any container running on the same node as their pod, allowing them access to sensitive workloads, data and even production applications.
Using the second exploit method, an unauthenticated user can exploit the API extension feature used by metrics and service catalog in Kubernetes. This actor can then gain cluster-admin privileges to the service broker which allows the creation of brokered services in any namespace and on any node. Effectively, exploiting the flaw in this manner allows for the creation of new services that are not approved, potentially allowing for the injection of malicious code.
What Red Hat products are affected?
Red Hat OpenShift Container Platform 3.x and later are affected, as are Red Hat OpenShift Online and Red Hat OpenShift Dedicated.
What is Red Hat advising customers do?
Red Hat recommends that customers running any affected products to immediately apply appropriate patches or to ensure that their service has been updated to reflect the fixes. Customers running OpenShift Online or Starter have no actions to take, as Red Hat operations has been actively rolling out fixes to those environments. Customers using OpenShift Dedicated should contact their support representative to decide upon the appropriate time to deploy the updates to their environments.
Statement from Tracy Rankin, senior director, OpenShift Engineering at Red Hat:
“The de facto standard in container orchestration, Kubernetes is often looked to by organizations as a key component of digital transformation. Vulnerabilities like the escalation privilege flaw can potentially delay or entirely derail these strategies, highlighting the need to work with an established partner in building and maintaining a more secure Kubernetes footprint. Red Hat is proud to have worked closely with the Kubernetes community in assessing and ultimately fixing this flaw.”