The first major security flaw has been uncovered in Kubernetes, the popular container orchestration system developed by Google. The vulnerability, identified as CVE-2018-1002105, carries a critical CVSS V3 rating of 9.8 due to low attack complexity, requiring no special privileges, and a network attack vector.
The vulnerability is triggered when specially crafted requests allow users to establish a connection through the Kubernetes API sever to a backend sever. Attackers can use this established channel to execute arbitrary requests on that backend. In default configurations, any user, even unauthenticated ones, are capable of performing requests to exploit this vulnerability, greatly enhancing the possibility of mass exploitation. To further compound the issue, no internal method of detecting exploitation of this vulnerability exists. Since the unauthorized malicious requests are performed over a valid, trusted connection, they do not appear in the Kubernetes API server audit log. Use of monitoring tools to detect unauthorized changes can help to indicate compromise and are highly beneficial in cases such as this. Users of hosted Kubernetes solutions should be informed as to whether their provider has applied patches. Both Microsoft Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) have been upgraded to non-vulnerable versions; other providers may still be working on fixing the issue. For users running their own Kubernetes systems, fixes for this vulnerability exist in versions 1.10.11, 1.11.5, 1.12.3 and 1.13.0-rc1. Users can and should obtain patches from the open source release artifacts or their software vendors. Mitigations for CVE-2018-1002105 include disabling anonymous requests and suspending use of aggregated API servers, which will likely be disruptive in any operating environment. Updating to a non-vulnerable version as soon as possible is highly encouraged.
