A year after a potentially critical vulnerability (CVE-2018-1002100) was found and patched in the popular open-source container orchestration system and DevOps tool Kubernetes, researchers discovered that the vulnerability can still be exploited.
Researchers from Twistlock state that the path traversal and arbitrary code execution vulnerability that was patched by Kubernetes and OpenShift developers wasn’t fully fixed, and demonstrated how attackers can still exploit it.
This flaw — which is now given an updated CVE identifier (CVE-2019-1002101) — is tagged as a high severity issue, and Kubernetes released an advisory urging users to upgrade to versions 1.11.9, 1.12.7, 1.13.5, and 1.14.0, which already address this vulnerability.
The vulnerability involves kubectl, Kubernetes’ command-line tool used for deploying and managing applications on the system. The flaw was found on kubectl’s cp command, which allows the copying of files and directories to and from containers.
To successfully copy files from a container, Kubernetes creates a tar binary inside the container. The tar is copied over the network and is unpacked on the user’s workstation using kubectl. This tar binary inside the container is a prerequisite for the cp command to work — which, if made malicious by an attacker, can run any piece of code that can critically affect a system. After CVE-2018-1002100 was fixed, a function is called by the untarring function to strip path traversals.
However, according to a post penned by Ariel Zelivansky of Twistlock, the same function can follow and create symbolic links from the tar headers. This means a malicious tar can be created by an attacker to include a symbolic link to any path and a file inside another header to a directory named the same as the symbolic link. When the attacker calls the untarring function, the link will enable file modification or creation in the path.
If attackers abused the vulnerability to target enterprises, they can gain access to potentially confidential and sensitive information. Zelivansky also mentioned that an attacker can exploit this vulnerability and achieve remote code execution if kubectl runs with root privileges. However, kubectl typically runs as a user, which would make it harder for an attacker to successfully get code execution.
Trend Micro Recommendations and Solutions
More and more enterprises are turning to DevOps to ensure that they centralize software or application release cycles for the purpose of improving quality, security, and scalability, as well as develop a shared responsibility for creating secure and compliant applications throughout the software or application life cycle. When vulnerabilities are discovered, the importance of security by design is further highlighted.
In order to ensure that container machines are kept protected from attacks that use vulnerabilities such as CVE-2018-1002100 and CVE-2019-1002101, we recommend that organizations implement the following best practices:
- Update machines regularly and consistently to minimize the chance of vulnerabilities being exploited.
- Upgrade to the latest version of Kubernetes to take advantage of new security features as well as fixes to vulnerabilities.
- Avoid running containers using root privileges, especially if it is the default configuration. To ensure that the machines are properly protected from potential attacks, only use them as application users.
Security solutions support DevOps processes by preventing the potential impact of vulnerabilities in container orchestration systems like Kubernetes. The Trend Micro™ Hybrid Cloud Security solution, for example, provides threat defense for safeguarding runtime physical, virtual, and cloud workloads, and containers as well as scanning of container images during development phases.
Trend Micro helps DevOps teams to build securely, ship fast, and run anywhere. The Trend Micro Hybrid Cloud Security solution provides powerful, streamlined, and automated security within the organization’s DevOps pipeline and delivers multiple XGen™ threat defense techniques for protecting runtime physical, virtual, and cloud workloads. It also adds protection for containers via Deep Security™ solution and Deep Security Smart Check, which scans container images for malware and vulnerabilities at any stage in the development pipeline to prevent threats before they are deployed.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.