Two Kubernetes security vulnerabilities were disclosed yesterday: CVE-2019-1002101, a high severity issue, and CVE-2019-9946, a medium severity issue. Read on for a description of the vulnerabilities and their impact, how to know whether you’re affected, and what the remediation steps are.
CVE-2019-1002101: kubectl cp could replace or delete files on a user machine
This vulnerability is in the kubectl
binary — specifically, in the kubectl cp
command. An attacker can exploit this vulnerability to write files to any path on the user’s machine, limited only by the system permissions of the local user.
How It Works
The kubectl cp
command is a handy utility that allows users to copy files and directories between containers running in Kubernetes pods, and the user’s machine. kubectl cp
depends on the tar
binary in a container — when copying files from a container, it creates a tarball inside the container, before copying it over to the user’s machine and untar-ing it.
However, if a container contains a malicious tar
binary, it could construct a malicious tarball that, when extracted on a user’s machine, could replace or delete arbitrary files on it.
Remediation Steps
This vulnerability is fixed in kubectl
client versions 1.11.9, 1.12.7, 1.13.5 and 1.14.0. If you’re using an older version of kubectl
, upgrade by following the instructions at kubectl install docs. After upgrading, run kubectl version --client
to confirm that you have a version with the fix. While you do not need to update the server to mitigate this CVE, it is important to make sure that all operators of your cluster use a patched kubectl
.
CVE-2019-9946: CNI HostPorts could intercept traffic intended for other pods
This vulnerability is in the CNI (Container Networking Interface) portmap plugin, which allows users to set up HostPorts. A HostPort created with this plugin could match network traffic not intended for it, allowing attackers to potentially intercept traffic intended for other applications.
How It Works
Setting a HostPort on a container allows users to forward traffic from the specified port in the host to the container. The portmap
plugin would implement this by inserting these forwarding rules at the head of the iptables chain, taking precedence over the rules created by Kubernetes service definitions in the cluster. This meant that the HostPort would match incoming traffic even if there were more specific rules (like NodePorts) which fit the incoming traffic better.
How To Know If You’re Impacted
You are impacted if you use the portmap
CNI plugin to run HostPorts in your Kubernetes configuration. We expect that most users will not be impacted by this, since support for network plugins in Kubernetes is still in alpha.
Remediation Steps
The portmap plugin is embedded into Kubernetes, so you will need to upgrade your cluster. This vulnerability is fixed in versions 1.11.9, 1.12.7, 1.13.5 and 1.14.0; run kubectl version --short | grep Server
to check what version your server is on, and upgrade if necessary. If you are unable to upgrade your cluster, limit the use of HostPorts in the interim, or use a plugin other than portmap
for port-mapping.