CVE-2022-0759: Critical Flaw in kubeclient Puts Ruby Applications at Risk of Man-in-the-Middle Attacks

A critical vulnerability has been discovered in all versions of kubeclient up to, and not including, v4.9.3. This Ruby gem is widely used in Ruby applications for communicating with the Kubernetes REST API. The vulnerability allows attackers to perform man-in-the-middle (MITM) attacks on unsuspecting applications, due to the incorrect handling of certificate validation in kubeconfig files.

Vulnerability Details

The flaw, identified as CVE-2022-0759, occurs when kubeclient incorrectly parses kubeconfig files that do not specify custom Certificate Authorities (CA) for certificate validation. As a result, kubeclient ends up accepting any certificate and returns VERIFY_NONE.

An attacker could exploit this issue by intercepting and modifying traffic between the vulnerable application and the Kubernetes REST API. This would enable the attacker to gain unauthorized access to Kubernetes resources, tamper with the application's kubeconfig settings, perform actions on behalf of the user, and potentially take over the entire Kubernetes cluster.

Code Snippet

If a kubeconfig file does not include a custom CA certificate, and the apiVersion and kind fields are not set, kubeclient will default to VERIFY_NONE. The problematic code is as follows:

def ssl_options(context)
  options = {}
  # if 'kind' and 'apiVersion' are not set, 'VERIFY_NONE' is returned.
  if context.kind.nil? && context.apiVersion.nil?
    options[:verify_ssl] = OpenSSL::SSL::VERIFY_NONE
  else
    if context.sslCaFile
  ...
  end
  options
end

Exploiting the Flaw

In order to exploit the CVE-2022-0759 vulnerability, an attacker would first need to intercept traffic between the vulnerable Ruby application and the Kubernetes REST API. This could be done using various MITM techniques such as ARP spoofing or DNS hijacking.

Once the attacker has successfully intercepted the traffic, they can then modify the content of the communications to inject their own commands, and potentially take over the Kubernetes cluster.

Solution

The developers of kubeclient have released a patched version (v4.9.3) which addresses the CVE-2022-0759 vulnerability. Ruby applications that employ kubeclient should urgently update to v4.9.3 or later, in order to protect against this critical vulnerability.

References

* CVE-2022-0759 Vulnerability Disclosure: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0759>
* kubeclient GitHub Repository: <https://github.com/abonas/kubeclient>
* kubeclient v4.9.3 Release Notes: <https://github.com/abonas/kubeclient/releases/tag/v4.9.3>

Conclusion

CVE-2022-0759 is a critical vulnerability in kubeclient that exposes Ruby applications to man-in-the-middle attacks. It is essential for developers using kubeclient to immediately update their applications to version v4.9.3 or later. Additionally, be aware of the potential risks associated with MITM attacks and employ strong network security practices to safeguard your environment.

Timeline

Published on: 03/25/2022 19:15:00 UTC
Last modified on: 04/07/2022 19:13:00 UTC