Kubernetes' First Major Security Hole Discovered

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole. From a report: With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials. Can you say root? I knew you could. Worse still, "In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation." So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

Awesome

More like Secur-not-ees

I'll give it a try.

[fahrbot-bot]

Can you say root? I knew you could.

"Groot" -- Damn it! So close...

Re: I'll give it a try.

"Groot" -- Groot! groot...

Re:I'll give it a try.

In the old days, a fellow sys admin accidentally replaced the first character in /etc/passwd with the letter g. It caused some problems.

Re:I'll give it a try.

[Aighearach]

as long as it isn't Lroot

Glad I don't work for $CORP anymore.

They were deploying that stuff all-out, in a desperate attempt to be "modern".

Inside the firewall

[phantomfive]

So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

My understanding is this is only exploitable by people who have access to Kubernetes anyway. Your firewall should not be routing any traffic from the general internet to the Kubernetes api. So this is a good opportunity to check to make sure your firewall is configured correctly, but if you are vulnerable to outside threats, the problems run deeper than a single vuln you'll want to look seriously at your processes and make sure they are security focused. (Or make them more security focused than they are now).

Re:Inside the firewall

[Shaitan]

You are vulnerable to inside threats. In a small org it may not be a factor but when you get to enterprise environments you have segregated permissions. I think Edward Snowden is a hero but that aside, he is a poster child of why you are supposed to have everyone locked down into just the access they need.

Re:Inside the firewall

[phantomfive]

Because no one has ever had employees who were internal threats or had attackers gain access to a company's internal network from the outside?

You can't stop that.

Re:Inside the firewall

Except snowden was a system administrator and he did not use his own access to exfiltrate the documents, he used 'borrowed' credentials from people whose computers he was fixing.

Re:Inside the firewall

[phantomfive]

Except snowden was a system administrator and he did not use his own access to exfiltrate the documents, he used 'borrowed' credentials from people whose computers he was fixing.

This sort of thing is why you can't completely stop internal threats. There are too many avenues of attack, and you can't shut them all without really slowing down things inside the business and causing problems.

This is one of the unsolved problems of security.

Re: Inside the firewall

Well, I do not totally agree with that. I think security could be more of a functional threat-oriented practice rather than a theoretical threat-oriented practice.

Re: Inside the firewall

[phantomfive]

Well, I do not totally agree with that.

I would be happy to hear why you don't agree, please explain.

Re:Inside the firewall

[xxxJonBoyxxx]

>> when you get to enterprise environments you have segregated permissions

Sometimes. YMMV.

Re: Inside the firewall

Because it never happened at the 10-man shop which has been the only place he's ever worked, probably.

Re:Inside the firewall

[AHuxley]

Re "This is one of the unsolved problems of security."
Keep the next big idea as a spoken topic among 10 ~ 100 workers?
A walk in vault with no electronic devices and notes on paper.
Look deep into the political and friendship past of all trusted workers.

Re: Inside the firewall

LOL! 10-man shop! You tell em, AC!

Re:Inside the firewall

Because no one has ever had employees who were internal threats or had attackers gain access to a company's internal network from the outside?

You can't stop that.

Right ... so don't rely upon the company's internal network being considered secure.

I believe this is the basis of BeyondCorp "the security approach we use at Google that allows employees to work from any network, quickly and easily."

Caveat: IANAS/NA (System/Network Administrator)

Re:Inside the firewall

[Shaitan]

He used su to assume other users logins, he didn't need borrowed credentials.

Re:Inside the firewall

[Shaitan]

Is there a sad but real moderation?

Re:Inside the firewall

1. Firewalls don't route anything. Firewalls block or allow. Routers route. Routers modify traffic. Routers do many things that firewalls do not.

2. Some organizations still live in the 90's but telework and multi-site enterprise management is not just a thing, but the thing in today's networking world.

Since phantomfive posts so often and has done so for a long time, I wonder if he is retired or is simply among the majority of software developers/PM/general management that does not have much experience in networking.

Re:Inside the firewall

[techno-vampire]

Actually, he still needed the other user's password. When you use su to become another user, you still have to supply that user's password.

Re:Inside the firewall

Snowden was a sysadmin so he had admin/root/sudo/wheel group access. With sudo su you are good to go.

Re:Inside the firewall

[techno-vampire]

I just experimented by opening a terminal and using su - to become root. Then, I used su $USERNAME to see if I could su back to myself and which password I needed. Lo and behold, once you're root, you can su to anybody else without being prompted for a password. Live and learn. I sit corrected.

Re:Inside the firewall

[jpaine619]

WTF? No you don't... If you su to root first, you can then su to any account with no password required.. Same with sudo su.

Re:Inside the firewall

[Aighearach]

Program cards. In a box.

Re:Inside the firewall

[phantomfive]

The reasoning behind that is, even if su required the password, someone as root could write a program to allow them to become another user anyway, so it's not going to make a difference. Sysadmins who care about this use sudo to limit and log interactions.

Re:Inside the firewall

[phantomfive]

BeyondCorp uses the paradigm "deploy everything on the public internet." You can only use that approach if you can trust all the software you deploy. If you need to use libraries created elsewhere (like Kubernetes at Google), and there is a good chance it is insecure, then having a firewall will give you an extra layer of security. It's not perfect but better.

Re:Inside the firewall

[phantomfive]

1. Firewalls don't route anything. Firewalls block or allow.

Even if they only forward packets to the next hop, they are still routing.

Re:Inside the firewall

[techno-vampire]

Yeah; I found that out by experiment later. Open mouth, exchange feet.

Re:Inside the firewall

Brick walls don't route anything. Firewalls are more selective.

Re:Inside the firewall

[swillden]

The reasoning behind that is, even if su required the password, someone as root could write a program to allow them to become another user anyway, so it's not going to make a difference.

More than that, it would be actively bad for su to require the password. It would make less-thoughtful sysadmins believe that root can't act as any user. This can still happen, witness techno-vampire's misunderstanding, but it would be much worse if he couldn't do a simple test and discover his error in a few seconds.

Re:Inside the firewall

[swillden]

Re "This is one of the unsolved problems of security." Keep the next big idea as a spoken topic among 10 ~ 100 workers? A walk in vault with no electronic devices and notes on paper. Look deep into the political and friendship past of all trusted workers.

You omitted the crucial part of the post you quoted (emphasis mine, obviously):

There are too many avenues of attack, and you can't shut them all without really slowing down things inside the business and causing problems.

Yes it's possible to reduce the threat of insider attacks by reducing the set of insiders with access and carefully vetting that small group, and also by adding other measures like technical and and procedural mechanisms to require multiple people to be involved in any access to sensitive data, but anything you do that way is going to "really slow things down inside the business and cause problems". Sometimes data is so sensitive it's worth the hassle and expense. Most of the time, it's not.

Re:Inside the firewall

[AHuxley]

The other neat trick is to create a fake project idea just for each person who could be trusted.
Do they run to protest to their boss? Run to look up who to talk to in media/gov? Talk about aspects of the work online using extra social media accounts?
Talk to academics and media in hidden ways later that day?
The workers who read the task and say its not going to work/needs more work/could be done but stay 100% loyal are then to be trusted for another few tests and then a "real" project.

So what's next after Kubernetes?

wtf is kubernetes and why are people using it??

How many times are they going to re-invent what already exists -- but with new security holes?

Re:So what's next after Kubernetes?

wtf is kubernetes

The love child of Google's NIH obsession.

and why are people using it??

The industry is full of mindless followers. Those who are able to think rationally about what they are doing are overridden by management who read something in a trade rag one day after a hard days work of golf and banging the secretary and is now an "expert".

Re:So what's next after Kubernetes?

Yep, I only use the software written by the incrediblly talented developers of systemd. They write flawless code with nary a single bug.

Re:So what's next after Kubernetes?

[ArchieBunker]

Was this whole scheme dreamed up because of dependency hell? Like your current distro has no package for a particular binary you're interested in. So you need to compile it and it needs a dozen obscure libraries. One of those libraries news a few more to compile and is currently broken. Or is it a rip off from OSX?

Re:So what's next after Kubernetes?

[Crash+Dummy+Redux]

Sounds like something Chris would do. Whoever the fuck he is.

Re: So what's next after Kubernetes?

You gotta love the modern OSS security model: A million scrying eyes reading a thousand lines of code that required a billion lines of unchecked code of bloated dependencies be installed from god knows where by an automated script with no security checks.

Re: So what's next after Kubernetes?

As opposed to a few dozen eyes paid not to look for things that could embarrass them in the proprietary blobs? Yeah I'll take the OSS model any day, you're a moron and the numbers back that up.

Fuck off to another Adobe vuln.

Re: So what's next after Kubernetes?

[reanjr]

I think it mostly stems from lazy/bad app developers who can't figure out how to install their own app on anything but the one machine it was written on. Their answer is to add the entire OS install as a dependency rather than figure out how security or configuration works. After the whole industry switched from just requiring install dependencies to requiring entire running system snapshots to get anything working, tools like kubernetes were created to address the problems of their own creations.

Re: So what's next after Kubernetes?

[ArchieBunker]

Shit I had no idea it was that bad. Yeah how could a foreign system snapshot ever cause an issue...

Re:So what's next after Kubernetes?

[phantomfive]

Was this whole scheme dreamed up because of dependency hell?

It's because people don't know how to write install scripts anymore. We've been doing it for decades now, and it's easier than ever, but people think they can solve their problems by using a VM in a VM. They can't: if their installation process is garbage and complex, adding another layer of complexity will not help things.

Re:So what's next after Kubernetes?

You've sure got Chris on the brain. For someone you don't know, you sure seem to bring him up a lot, Chris. I mean Redux.

Re:So what's next after Kubernetes?

So you don't know who Chris is but you know what he would do?

creimer, you're a dummy

Re:So what's next after Kubernetes?

The Sound of Music is something Chris would do.

FTFY -- For the younger ones that's a cultural reference to the movie The Sound of Music starring Christopher Plummer, which won five Academy Awards.

Laugh! It's hilarious!

Re:So what's next after Kubernetes?

[Crash+Dummy+Redux]

Fuck this. I'm going back to Reddit. You trolls can keep Slashdot.

Re:So what's next after Kubernetes?

Thanks for letting us know. Usually when people decide to stop posting on a site they don't bother posting about it.

Re:So what's next after Kubernetes?

Mod this MOTHERFUCKING SHITMOTH UP!!!!!

We can't let this message go unnoticed!

Re:So what's next after Kubernetes?

Hello CDR!

Your next video is going to be your 100th and any experienced youtuber knows that things automagically go skyrocketing after that. Congratulations for your hard work!

My YouTube channel has 222K subscribers and many videos with hundreds of thousands of views:

https://www.youtube.com/watch?...

Now, with some slight adjustments, I think that together, we could make the view count skyrocket on your very own Team Creimer youtube channel :)

Please feel confident to contact me if you want me to coach you, we aren't living so far away from each other so we could even easily meet.

Love XX,

--
-Granny

Re:So what's next after Kubernetes?

Do you have any essperience with roaming numerals?

Chris is currently indisposed and can't reply to your post at the moment.

Granny PottyMouth has just revealed to Chris (see https://slashdot.org/comments....) that most of the views on our YouTube channels were caused by one of her employee using her click-bots.

She says she instructed him to stop immediately and what she says must be true since the views stopped on our channel and we have only 12 views since last week on our latest video "How to Pronounce The New Apple iPhone XR, XS & XS Max (September 2018)". Note that the pronunciation might change in December so make sure to keep watching our channel!
--
Ethell, Team Creimer Administrative Assistant.
How to Pronounce The New Apple iPhone XR, XS & XS Max (September 2018)

Re:So what's next after Kubernetes?

_,--=#[The Post CRIMER aka The Original CDR, Crash Dummy Redx etc. doesn't want you to read!!!]#=--,_ 1)Why-are-people-upset-with-him? 2)What-can-I-do 3)What-are-his-names 4)Who-is-FatCashewsLovesMe 5)How-to-defeat-his-hustles 6)Why-are-there-dashes 7)Pastebin-Copy

1)Why-are-people-upset-with-himHe makes frequent low quality posts for two reasons:
Money) BASICALLY: He made thousands of shitty posts & bragged about how much money it made him.
DETAILS: He wants u to folow his referer links & pick up his cookie. Even if u dont buy what he linked but do buy something else from that site later on he often makes money;He ALSO tries to drive TRAFFIC to his various BLOGS & vlogs.
Karma)He believes karma acumulates infinitely So he makes lots of pointles posts that r not bad enough to mod down;hoping they wil get moded up;He was a raging ahole when he thoght he had a karma surplus

2)What-can-I-do DOWNMOD u wil usually get more mod points. If he is postng from a new sock acount w/ krma, get his oldst posts first. DOWNMOD him and AC in fresh thrads early on;Metmods wil reward u. METAMOD his posts. REPLY ONLY ANONYMOUSLY to the most deeply nested coments in his threds it helps hide his posts. Dwnvote his SUBMISSIONS, he uses to get krma. REPORT HIM to slshdot & the afiliate progrms he is usng. DONT MENTION his brand names c**mer.

3)What-are-his-namesMost famous:The Original CDR, Cre|mer Cdre|mer ILoveFatCashews, Anonymous Cashews, The Fat Bastard aka TCDR

4)Who-is-FatCashewsLoveMe AKA Tardu Lardo,FCLM Funny & anoying; Not me or crimer;He keeps lookout for infestation

5)How-can-I-avoid-his-hustles --===DONT FOLLOW HIS LINKS!!!===--
IF YOU MUST:Use a privte tab & nevr buy anything on the same sesion. If he fools u, close tab, cler the cookies for that site. There r sites other than yutube that wil let u watch his videos. I dont know if people view his contnt but I can pictre his jowls jigling at the thoght of people subvrting his business model
6)Why-are-there-dashes & weird stuffI know most only skim thse posts. I want the most imprtnt infrmton to pop out at a glnce & to keep it shrt. I dont use TCDRs name becase he may think tht he benfits from geting it indxed by serch engnes. Id like 2 thnk TCDR & FCLM for editrial advice

7)Copy: http://archive.is/TtDrY

Re:So what's next after Kubernetes?

C.D. Reimer (Crash Dummy Redux) is a renowned Slashdot collaborator, as he puts it himself; "Because of the quality of my posts and my article submissions, I'm a highly rated commentator and moderator."

But does anybody ever wondered what "C.D." stands for? Well, it stands for Creimy Dumpty of course!

Creimy Dumpty sat on the wall,
Creimy Dumpty had a great fall.
All the king's horses
And all the king's men
Couldn't put Creimy Dumpty
Together again.

Creimy's siblings video and theme song, very realistic, especially the pants, just like Creimy's:
https://www.youtube.com/watch?...

With "Vice President Pence Vowing US Astronauts Will Return To the Moon", we are sure they will need miracle workers up there, here is what it would look like. Note that Creimy takes care of bringing a lot of food to the moon as depicted below:
https://www.youtube.com/watch?...

Creimy's real pictures:
Before the sex change:
https://ibb.co/cc7Ddw
After the sex change:
https://ibb.co/gVad65

Creimy's "enterprise-level" chair, he talks about it all the time on slashdot:
http://www.keynamics.com/image...

Creimy's head, while his supervisor was talking to him, not with him, since it is impossible to do with Creimy:
http://ibb.co/mRVSaG

Creimy acting in educational resource document, he actually confirmed himself on Slashdot that he was handled by Special Education for the Santa Clara County Office of Education! He is really a king Dumpty!:
http://www.sccoe.org/depts/stu...

Re:So what's next after Kubernetes?

https://www.youtube.com/watch?...

Cryptofeces Lepidoptera Creimerus infestation is a serious problem. Not only are they capable of reproducing asexually like amoebas, they can also lay eggs hermaphroditically in unexpected places. They can disguise eggs as something useful to fool the unaware, sometimes pretending to be a haiku author, blogger, vlogger, or IT closet cleaner.

Very dangerous. They can seemingly reproduce out of the cosmic background radiation, even if you step on twelve of them, there's always one you miss.

Don't be fooled by the C. Lepidoptera Creimerus's innocuous, rolly-polly, and almost friendly appearance; despite its great size, stupid demeanor, and bedraggled toothless appearance, they have the hardiness of a tardigrade.

Only a concerted, targeted downmodding campaign has been shown effective in controlling this dangerous pest.

Experience shows that stopping such a campaign leads to C. Lepidoptera Creimerus returning within days.

Don't let it happen again!
--
the biggest looser on Slashdot

Re:So what's next after Kubernetes?

I'm going back to Reddit

HUZZAH!!! HUZZAH!!!!

Re: So what's next after Kubernetes?

Kubernetes is kind of sort of like a package manager for a whole system state. The overhead is a lot less than virtualization. Now sure one of the benefits of virtualization is reduction in dependency hell but I want to help you form a sort of picture because I don't really know how else to explain.
If money and space didn't matter it would usually be best to run each service on it's own physical server.
Since money matters we know we can't do that, as a matter of fact when money mattered the most it was common for a single production server to be running all sorts of unrelated services.
Virtualization was a sort of happy medium.
Competition among virtualization solutions brought about a whole slew of really useful features
Kubernetes provides all of these benefits plus it's lighter weight plus it can be used to roll out to virtual machines, containers, or a single container on a single server as a sort of quasi bare metal.
And just cause it's cool and maybe it will be useful. You can write a program out of FaaS lambdas, "load" the program onto your distributed computing network, and run it. Sure it's got some crazy overhead and latency compared to running it on your computer. I have 20 reasonably fast cores and an oc'd 4 core i5 which has one of the highest single thread ratings on the market stock. Then if I ever get around to reassembling it I have cluster of a few x86 and a bunch of arm sbcs too probably totaling around 40 cores.
I have no idea what I can do with all that but it way exceeds my home networking needs my wife does some AI work so maybe eventually I'll show her how to use it.

Come on man that's rad

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Containerization

[sexconker]

I'd rather have 12 isolated VMs than 1 VM with 12 containers, or any amalgamation adding up to 12 containers.
Storage is cheap. Memory isn't, but a minimal Linux install to support your software stack isn't exactly a big overhead in that regard.
The only real benefit it brings is having fewer servers (physical or virtual) to manage/update, but you'll still have at least one, so either deal with it or script it.

Re:Containerization

Memory is cheap, but virtual hosting charges through the nose for big memory instances.

Re:Containerization

Why, are you just a fan of inefficient use of resources and buggy hypervisors?

Re:Containerization

But Kubernetes is web scale.

Re:Containerization

[phantomfive]

It pains me to use Kubernetes on AWS because you are essentially using a VM in a VM, and if you want you can set up your own images on AWS, too. If you can't write a decent install script, using Kubernetes is not going to help you.

The only benefit I see to using Kubernetes is that it makes it easier to port from one cloud server to another, if you need to. Because it's becoming the standard that everyone supports.

Re:Containerization

Where do you draw the line between “VMs” and “containers”? Docker, for example, is considered a container (or, rather, a deployment mechanism for containers). But Docker uses Hyper-V as its isolation mechanism. So you are really using VMs.

If they are virtual, you can put them anywhere. So 12 “VMs” running on any number of hypervisors is pretty much identical to running 12 “containers” on any combination of machines, virtual or otherwise.

Re:Containerization

[DutchDopey]

That is not the point. There is a loose coupling between the VM and the application. Which means you are never 100% sure your application runs in the environment it was intended for. With containerisation the application always runs in the environment it was intended for regardless of the infrastructure/vm's. Kubernetes is about devops, not about infrastructure.

Re: Containerization

if you think docker is a vm, you should read about it more and stay away from the technology until you do.

Re: Containerization

A container is just another flavor of VM.

Re: Containerization

VMs use their own guest operating system, containers use the host operating system- a very important difference.

what a clusterfuck

anyone who knows about this hole can take command of your Kubernetes cluster

Re:what a clusterfuck

Wrong. You know about the hole. You're not able to to take over anything.

Get a clue, idiot.

Re:what a clusterfuck

From TFA:

A pod exec/attach/portforward API call can be escalated to perform any API request against the kubelet API on the node specified in the pod spec (e.g. listing all pods on the node, running arbitrary commands inside those pods, and obtaining the command output). Pod exec/attach/portforward permissions are included in the admin/edit RBAC roles intended for namespace-constrained users.

You need to get a clue, idiot.

Re:what a clusterfuck

Wrong again.

YOU know about the hole. YOU still cannot gain access to anything. It's OK to not be a dumbass dipshit. Learn something.

Pathetic idiot, get a glue. You have not the slightest idea of how the vulnerability works. Shut up and get back to preschool. You're obviously late for your nap.

Re:Huh?

[Rob+Riggs]

There are two scoring methods used by CVE, CVSS 2.0 and CVSS 3.0. You may find this link to the vulnerability enlightening: https://nvd.nist.gov/vuln/deta...
Still, your point is well taken. This is not the first.

What if I boot you in the nuts

What if I boot you in the nuts and force you to give me your password?

Re:Huh?

OpenShift != Kubernetes

Comment removed

[account_deleted]

Comment removed based on user account deletion

Back doors

[Dunbal]

We'll just code this in, no one will notice.

Re:Just one question...

Don't worry, he has enough educated racist supporters, so he'll be fine.

ABD

They only found the Aust Govt backdoor trial.. Won't be patched in the land of Oz...
No Wizards here..

Re:Huh?

[Himmy32]

You realize that since version 3, OpenShift is a distribution of Kubernetes under the hood, right? Here is the CVE for OpenShift for the k8s vulnerability from today

Comment removed

[account_deleted]

Comment removed based on user account deletion

Memory Is Expensive??

Dude, what planet are you on? RAM is cheap, like borscht.