Crafty Requests: Deep Dive into Kubernetes CVE-2018-1002105

Transcript

1. CRAFTY REQUESTS Deep Dive Into a Kubernetes CVE @IanColdwater

2. • Hi! I’m Ian Coldwater. • I’m a Lead Platform

   Security Engineer at Heroku, specializing in hacking and hardening Kubernetes, containers and cloud infrastructure. • On December 3, 2018, my phone blew up. @IanColdwater

3. BIG NEWS! @IanColdwater https://www.zdnet.com/article/kubernetes-first-major-security-hole-discovered/

4. CVE-2018-1002105 • Issue originally discovered by Darren Shepherd and filed

   directly with Rancher in August 2018 (https://github.com/rancher/rancher/issues/14931) • Diagnosed by Rancher as a TCP connection reuse issue and reported privately to Kubernetes security team in November 2018 • Publicly disclosed by Kubernetes security team on December 3, 2018 @IanColdwater

5. SERIOUSLY, THIS WAS A BIG DEAL • Lots of press

   and attention • High to critical severity vulnerability - 8.8 to 9.8 CVSS v3 score • Affected ALL Kubernetes versions up to fix @IanColdwater

6. @IanColdwater https://github.com/kubernetes/kubernetes/issues/71411

7. AFFECTED VERSIONS • Kubernetes 1.0.x-1.9.x • Kubernetes 1.10.0-1.10.10 (fixed in

   1.10.11) • Kubernetes 1.11.0-1.11.4 (fixed in 1.11.5) • Kubernetes 1.12.0-1.12.2 (fixed in 1.12.3) @IanColdwater

8. THE GOOD NEWS? • If you were already running everything

   as admin, no unauthorized user could escalate privileges to admin. • This is a bad idea. Please don’t actually do this. @IanColdwater

9. @IanColdwater https://twitter.com/attritionorg/status/1069737718228246528

10. @IanColdwater https://twitter.com/attritionorg/status/1069741629899079680

11. HOW DID THIS FLAW WORK? Connections were allowed to upgrade

    without checking for error codes, allowing users who sent a specially crafted request to communicate directly with backend servers. @IanColdwater

12. TO FIGURE OUT HOW THIS HAPPENED, LET’S TAKE A LOOK

    AT THE MOVING PARTS. @IanColdwater

13. KUBERNETES CONTROL PLANE @IanColdwater

14. API SERVER • provides the REST API endpoint through which

    Kubernetes operations are made • acts as a gateway between the user and backend servers, such as extension API servers and kubelets • accessible to all pods by default @IanColdwater

15. CONNECTION FLOW • User sends a request to API server

    • API server authenticates and authorizes user • API server uses TLS credentials to establish connection with backend server • API server acts as a reverse proxy, routing requests between user and backend server @IanColdwater

16. CONNECTION: UPGRADE • Reverse proxies such as the Kubernetes API

    Server can upgrade HTTP connections to websockets, which allow back- and-forth communication in a more efficient way than having to constantly open and close connections. @IanColdwater

17. • If a connection upgrade request is sent that isn’t

    valid, an error code is returned. If the request returns success, a “dumb pipe” is created that remains open. @IanColdwater

18. IN THEORY, THIS WORKS • This is common behavior in

    scenarios such as load balancing • It becomes a problem when dumb pipes meet more complicated gateways that perform actions like routing, authentication and authorization. • Kubernetes does exactly this, leading to a privilege escalation issue with multiple attack paths. @IanColdwater

19. DUMB PIPES ARE DUMB • With this flaw, attackers could

    trick HTTP connections to upgrade to websockets despite returning errors. This allowed them to communicate directly with backend servers, bypassing the API server controls around authorization • Such traffic is very difficult to detect in logs @IanColdwater

20. ATTACK VECTORS • exec/attach/port-forward • extension/aggregated API servers @IanColdwater

21. EXEC/ATTACH/PORT-FORWARD @IanColdwater • users who are authorized to pod exec/attach/port-forward

    • can escalate to broader cluster API access via kubelet • affected all Kubernetes deployments before fixed versions • CVSS 8.8 (high)

22. EXTENSION/AGGREGATED API SERVERS @IanColdwater • authorized users for API discovery.

    By default, this is anybody! • can escalate to anything on downstream API servers • only affects deployments with extension API servers • CVSS 9.8 (critical)!

23. @IanColdwater

24. @IanColdwater

25. WHAT COULD POSSIBLY GO WRONG? • Cryptomining or other hijacking

    compute resources • Exfiltrating secrets or other sensitive data • Injecting malicious code, supply chain attacks • Total cluster takeover. Whatever an attacker can dream up! @IanColdwater

26. EXPLOIT DEMO! @IanColdwater From Twistlock: https://asciinema.org/a/215929

27. PUBLISHED EXPLOITS @IanColdwater • https://github.com/evict/poc_CVE-2018-1002105 • https://github.com/gravitational/cve-2018-1002105 • https://www.exploit-db.com/exploits/46052 •

    https://www.exploit-db.com/exploits/46053 • https://www.twistlock.com/labs-blog/demystifying-kubernetes-cve-2018-1002105-dead-simple-exploit/ • https://blog.appsecco.com/analysing-and-exploiting-kubernetes-apiserver-vulnerability- cve-2018-1002105-3150d97b24bb • These are just some published ones. There are more :)

28. THE FIX @IanColdwater • 37 line change commit https://github.com/kubernetes/kubernetes/pull/ 71412/files

    • Checks for error codes and closes the connection rather than upgrading the connection request if an invalid code is returned.

29. @IanColdwater https://github.com/kubernetes/kubernetes/commit/b84e3dd6f80af4016acfd891ef6cc50ce05d4b5b

30. MITIGATIONS @IanColdwater • Update your Kubernetes versions! • There are

    other workarounds, but they are disruptive and impractical • Updating is easiest, most effective and I really hope you’ve done it by now • If you are on a public cloud, they updated it for you.

31. MITIGATING FUTURE FLAWS @IanColdwater • This wasn’t the first and

    won’t be the last vulnerability like this. • How can we protect our architecture better?

32. DEFENSE IN DEPTH @IanColdwater • Operate on a zero-trust model

    • Firewalls and gateways aren’t enough on their own

33. WATCH YOUR DEPENDENCIES @IanColdwater • Supply chain attacks are a

    real issue, with potentially catastrophic results.

34. KEEP UP TO DATE! @IanColdwater • Kubernetes moves fast, and

    security continues to improve. • Let’s all move fast and improve our security along with it!

35. WHAT ELSE CAN WE LEARN FROM THIS? @IanColdwater • Kubernetes

    Product Security postmortem report: https://github.com/ kubernetes/kubernetes/files/2700818/PM-CVE-2018-1002105.pdf • Cloud-native and security folks need to communicate better, on this side of the news cycle. • Greater understanding is needed all around.

36. YOU CAN DO IT! I believe in you. @IanColdwater

37. RESOURCES • https://github.com/kubernetes/kubernetes/issues/71411 • https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88 • https://nvd.nist.gov/vuln/detail/CVE-2018-1002105 • https://www.twistlock.com/labs-blog/demystifying-kubernetes-cve-2018-1002105-dead- simple-exploit/

    • https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/ • https://rancher.com/blog/2018/2018-12-04-k8s-cve/ @IanColdwater