In recent years, Kubernetes has become one of the most popularly used cloud container orchestration system. Kubernetes is an open source system normally used due to its ability to manage a cloud container environment. The system manages a container environment through organizing the application containers to pods, nodes (virtual and physical machines), and into clusters. A single cluster is formed when multiple nodes have been organized together. Through the application programming interface, the Kubernetes master communicates with Kubelet, an agent present in every node. The system setup provides an easier approach for managing applications and processes within a container system.
However, the increased use of Kubernetes motivated cyber adversaries to devise a method of hacking into the orchestration system without being detected. The vulnerability, numbered CVE-2018-1002105, has caused most cloud providers to issue warnings to their clients regarding the newly discovered vulnerability. The threat is a serious one as it allows attackers to remotely take over control of an organization’s computer nodes. As a result, attackers could potentially steal data or corrupt other applications used for production purposes.
Though using a specially created network request, any user is capable of establishing a connection using the Kubernetes API (application programming interface) server to the backend server. Immediately a network connection is established, a cyber adversary becomes capable of sending arbitrary requests directly to the cloud’s backend server using the network connection. More so, the Kubernetes application programming interface authenticates the requests thus making it Impossible for the deployed cloud security mechanism to detect the presence of anomalous or suspicious activity within the cloud’s network.
To make matters worse, both unauthenticated and authenticated users are permitted to use the default configurations and perform discovery application programming language calls further escalating the potential impacts of the vulnerability. Anyone aware of the security loophole can, therefore, assume command of a target’s entire Kubernetes cluster. Worse still, up to date, a way of detecting whether the vulnerability has been exploited or not is yet to be devised. This is because all unauthorized requests made through an already established network connection are not recorded in the Kubernetes application programming interface server log or the server auditing log. In addition, although all the requests made are visible in the aggregated application programming interface or in the Kubernetes server logs, it is impossible to distinguish them from other proxied or authorized requests.
The Kubernetes vulnerability
is disastrous to any organization. Garry Chen, an analyst and manager at International Data Corporation (IDC), states that although there have been past instances where Kubernetes had some security flaws, the CVE-2018-1002105 vulnerability is the worst. “This is always the worry with centralized control planes — if someone hacks it, they can get access to everything else,” Garry Chen argues. Cyber adversaries exploit the vulnerability and access cloud systems and service without authorization and without being detected. Through the vulnerability, a hacker is capable of gaining full access to a victim’s cloud system where he can perform all sorts of malicious activities.
The Kubernetes vulnerability affects all cloud products and services based on the Kubernetes orchestration system. A Red Hat Advisory argued the Kubernetes vulnerability exhibits a flaw of privilege escalation, which is a huge security threat and deal. The Red Hat Advisory also opines that exploiting the vulnerability enables an actor to not only inject the system with malicious codes and data or steal sensitive and confidential data, but the actor can also bring down production services and applications from an organization’s firewall. The flaw allows cyber criminals or ill intended users to access the cloud system of an organization where they can access important controls required for the effective running of organizational operations. The flaw also gives attackers a vantage point since they can easily access security mechanisms such as firewalls and configure them to expose the system to more security risks.
The vulnerability has one of the highest severity score. The flaw has a CVSS (Common Vulnerability Scoring System) score of 9.8 out of 10, thus indicating it is a severe threat which should be taken seriously. This attributed to the easiness with which the vulnerability is exploited. Besides, exploiting the vulnerability does not necessitate any user interaction, thus making it easier to gain unauthorized access. Two main ways through which the vulnerability can be used against its services and products have been identified. One of the ways is through a normal legitimate user with ‘portforward’, ‘attach’, or ‘execute’ rights within a group of one or more than one container sharing network and storage resources. The flaw permits normal users to escalate their Kubernetes privileges to the level of a cluster admin hence acquiring the power to execute any desired processed in any particular container. Secondly, a cyber adversary can exploit the extension features of the application programming interface that are used by ‘servicecatalog’ and ‘mnetricsserver’ in Dedicated, OpenShift Online, and OpenShift Container Platform. In this case, admin rights are not required thus enabling unauthenticated users to acquire admin rights to all application programming interfaces deployed to any cluster.
Therefore, what are the various mitigation strategies for mitigating the disastrous Kubernetes vulnerability? One of the most effective ways of addressing the vulnerability is using the most recent versions of Kubernetes. These include v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1. All other versions released before the aforementioned versions have the vulnerability and using them exposes a cloud system to a great deal of danger. Also, Red Hat has released security patches for OpenShift Dedicated, OpenShift Online, and all other families of OpenShift containerization software to address the problem. Using the latest Kubernetes and OpenShift releases is highly advised as the most effective way of protecting an organization from the vulnerability. Other mitigation strategies for CVE-2018-1002105 are disabling any anonymous requests and to suspend the use of aggregated application programming interface servers. However, the mitigation techniques might disrupt an organization’s operating environment, leaving updating Kubernetes and OpenShift software applications as the most viable option.