Vulnerability CVE-2018-1002105


Published: 2018-12-05

Description:
In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

See advisories in our WLB2 database:
Topic
Author
Date
High
Kubernetes (Authenticated) Arbitrary Requests
26.12.2018

Type:

CWE-388

(Error Handling)

Vendor: Redhat
Product: Openshift container platform 
Version:
3.8
3.6
3.5
3.4
3.3
3.2
3.11
3.10
See more versions on NVD
Vendor: Kubernetes
Product: Kubernetes 
Version:
1.9.9
1.9.8
1.9.7
1.9.6
1.9.5
1.9.4
1.9.3
1.9.2
1.9.12
1.9.11
1.9.10
1.9.1
1.9.0
1.8.9
1.8.8
1.8.7
1.8.6
1.8.5
1.8.4
1.8.3
1.8.2
1.8.16
1.8.15
1.8.14
1.8.13
1.8.12
1.8.11
1.8.10
1.8.1
1.8.0
1.7.9
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.17
1.7.16
1.7.15
1.7.14
1.7.13
1.7.12
1.7.11
1.7.10
1.7.1
1.7.0
1.6.9
1.6.8
1.6.7
1.6.6
1.6.5
1.6.4
1.6.3
1.6.2
1.6.14
1.6.13
1.6.12
1.6.11
1.6.10
1.6.1
1.6.0
1.5.9
1.5.8
1.5.7
1.5.6
1.5.5
1.5.4
1.5.3
1.5.2
1.5.1
1.5.0
1.4.9
1.4.8
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.12
1.4.11
1.4.1
1.4.0
1.3.9
1.3.8
1.3.7
1.3.6
1.3.5
1.3.4
1.3.3
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.openwall.com/lists/oss-security/2019/06/28/2
http://www.securityfocus.com/bid/106068
https://access.redhat.com/errata/RHSA-2018:3537
https://access.redhat.com/errata/RHSA-2018:3549
https://access.redhat.com/errata/RHSA-2018:3551
https://access.redhat.com/errata/RHSA-2018:3598
https://access.redhat.com/errata/RHSA-2018:3624
https://access.redhat.com/errata/RHSA-2018:3742
https://access.redhat.com/errata/RHSA-2018:3752
https://access.redhat.com/errata/RHSA-2018:3754
https://github.com/evict/poc_CVE-2018-1002105
https://github.com/kubernetes/kubernetes/issues/71411
https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88
https://security.netapp.com/advisory/ntap-20190416-0001/
https://www.coalfire.com/The-Coalfire-Blog/December-2018/Kubernetes-Vulnerability-What-You-Can-Should-Do
https://www.exploit-db.com/exploits/46052/
https://www.exploit-db.com/exploits/46053/

Related CVE
CVE-2019-11244
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a differe...
CVE-2019-11243
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.Anon...
CVE-2019-9946
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptable...
CVE-2019-1002101
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar b...
CVE-2019-1002100
In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Ty...
CVE-2018-1002101
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.
CVE-2016-7075
It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509...
CVE-2017-1002100
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to...

Copyright 2019, cxsecurity.com

 

Back to Top