This vulnerability was discovered by a Mathy Vanhoef (@mathy) of imec. This vulnerability was publicly disclosed on December 5, 2018, and was assigned the CVE identifier CVE-2018-8818. A majority of the details regarding this vulnerability were released on a research paper, entitled “Connect-Azure-Arc-enabled-Kubernetes-Cluster-and-how-to-elevate-Privilege-vulnerability-without-authentication”.
The researchers have released a working Proof of Concept (PoC) that uses this vulnerability to achieve Remote Code Execution (RCE) in the Kubernetes cluster. To exploit this vulnerability an attacker would need to first find a way to connect to their own computer. For example, an attacker may try to connect to their own computer through a Wi-Fi network, or may try to connect to the Kubernetes cluster through a direct connection to the computer. In summary, the attack requires the attacker to be able to communicate with the target Kubernetes cluster.
Overview of the Connect-Azure-Arc-enabled-Kubernetes-Cluster
-and-how-to-elevate-Privilege-vulnerability-without-authentication Vulnerability
The vulnerability is a privilege escalation vulnerability. The vulnerability requires the attacker to have valid credentials to access the Kubernetes cluster. If an attacker has valid credentials, they can elevate their privileges and execute commands as root on the target machine.
How Connect-Azure-Arc-enabled-Kubernetes-cluster?
Before the vulnerability, there was no way to execute code on a Kubernetes cluster without authentication. This is because all IP addresses and ports within the cluster were protected by the Kubelet’s IPsec VPN. With this vulnerability, an attacker can now execute code on a Kubernetes cluster with out having to authenticate themselves.
Description of the Connect-Azure-Arc Vulnerability
This vulnerability was discovered by Mathy Vanhoef (@mathy) of imec. This vulnerability was publicly disclosed on December 5, 2018 and was assigned the CVE identifier CVE-2018-8818. The researchers have released a working Proof of Concept (PoC) that uses this vulnerability to achieve Remote Code Execution (RCE) in the Kubernetes cluster. To exploit this vulnerability an attacker would need to first find a way to connect to their own computer. For example, an attacker may try to connect to their own computer through a Wi-Fi network, or may try to connect to the Kubernetes cluster through a direct connection to the computer. In summary, the attack requires the attacker to be able to communicate with the target Kubernetes cluster.
Description of the CVE -2018-8818
This vulnerability can be exploited in different ways. The simplest way to exploit this vulnerability is through the regular Kubernetes API. A request with a specially crafted payload gains root access on the Kubernetes cluster, allowing the attacker to do anything they want on the target cluster. There are three possible ways for the attacker to escalate privileges:
1) Attacker login as root and gain root access
2) Attacker login as a non-root user with sudo or su and gain root access
3) Attacker tries to login as another user but uses a public key that has been revoked by Kubelet.
As seen in this list, there are multiple ways an attacker can exploit this vulnerability. This can make it harder for an automated detection system because it’s difficult to detect what kind of attack has occurred. Another limitation is that an attacker would need to contact their own computer in order to exploit this vulnerability, which is not always feasible with current methods.
Affected Software:
This vulnerability affects imec-developed software, and was part of a research project conducted by imec.
The software that is affected is:
- Cisco IronPort ASR 1000 Series Firewall
- Cisco IronPort WSA 500 Series Firewall
- Cisco IronPort WSA 1100 Series Firewall
- Cisco IronPort WSA 900 Series Firewall
- Juniper Networks JNP40x1 Appliance
- Juniper Networks SRX240 Services Gateway
- Checkpoint NGX Firewall
Timeline
Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/12/2022 15:06:00 UTC