Two Kubernetes security vulnerabilities were disclosed yesterday: CVE-2019-1002101, a high severity issue, and CVE-2019-9946, a medium severity issue. Read on for a description of the vulnerabilities and their impact, how to know whether you’re affected, and what the remediation steps are.
CVE-2019-1002101: kubectl cp could replace or delete files on a user machine
This vulnerability is in the kubectl binary — specifically, in the kubectl cp command. An attacker can exploit this vulnerability to write files to any path on the user’s machine, limited only by the system permissions of the local user.
How It Works
The kubectl cp command is a handy utility that allows users to copy files and directories between containers running in Kubernetes pods, and the user’s machine. kubectl cp depends on the tar binary in a container — when copying files from a container, it creates a tarball inside the container, before copying it over to the user’s machine and untar-ing it.
However, if a container contains a malicious tar binary, it could construct a malicious tarball that, when extracted on a user’s machine, could replace or delete arbitrary files on it.
Remediation Steps
This vulnerability is fixed in kubectl client versions 1.11.9, 1.12.7, 1.13.5 and 1.14.0. If you’re using an older version of kubectl, upgrade by following the instructions at kubectl install docs. After upgrading, run kubectl version --client to confirm that you have a version with the fix. While you do not need to update the server to mitigate this CVE, it is important to make sure that all operators of your cluster use a patched kubectl.
CVE-2019-9946: CNI HostPorts could intercept traffic intended for other pods
This vulnerability is in the CNI (Container Networking Interface) portmap plugin, which allows users to set up HostPorts. A HostPort created with this plugin could match network traffic not intended for it, allowing attackers to potentially intercept traffic intended for other applications.
How It Works
Setting a HostPort on a container allows users to forward traffic from the specified port in the host to the container. The portmap plugin would implement this by inserting these forwarding rules at the head of the iptables chain, taking precedence over the rules created by Kubernetes service definitions in the cluster. This meant that the HostPort would match incoming traffic even if there were more specific rules (like NodePorts) which fit the incoming traffic better.
How To Know If You’re Impacted
You are impacted if you use the portmap CNI plugin to run HostPorts in your Kubernetes configuration. We expect that most users will not be impacted by this, since support for network plugins in Kubernetes is still in alpha.
Remediation Steps
The portmap plugin is embedded into Kubernetes, so you will need to upgrade your cluster. This vulnerability is fixed in versions 1.11.9, 1.12.7, 1.13.5 and 1.14.0; run kubectl version --short | grep Server to check what version your server is on, and upgrade if necessary. If you are unable to upgrade your cluster, limit the use of HostPorts in the interim, or use a plugin other than portmap for port-mapping.