Guest post originally published on ARMO’s blog by Ben Hirschberg
All the main K8s vulnerabilities from 2022 consolidated into one article. Put together by Ben Hirschberg, CTO & co-founder of ARMO.
During 2022, Kubernetes continued to cement itself as a critical infrastructure component in the modern software stack. From small to large organizations, it has become a widely popular choice. For obvious reasons, this shift made Kubernetes more susceptible to attacks. But this is not the end of it. Keep in my mind that developers typically use a Kubernetes deployment with other cloud-native components to make a working system. Unfortunately, this infusion results in a more complex infrastructure with more components. That ultimately increases the surface and scope vulnerable to attacks.
According to Red Hat’s “2022 state of Kubernetes security report”, 93% of those surveyed last year reported at least one incident impacting a Kubernetes environment. Out of the total security incidents reported, 53% were due to misconfigurations, and 38% were due to the exploitation of vulnerabilities. The trend shows an increase in vulnerabilities mainly due to an increasing attack surface area and complexity in vulnerability management. Understandably, this is a concern for the entire industry.
In this article, we discuss 2022 Kubernetes vulnerabilities and what we can learn from them. To make sure we’re all on the same page, let’s define vulnerability. To do so, let’s examine the standard definition from NIST SP 800-53: “A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system(s) security policy.”
Where to Look for Kubernetes Vulnerabilities?
There are various trusted data sources responsible for identifying, collecting, and publishing vulnerabilities in the public domain. The main ones are NVD (National Vulnerability Database) CVE database, GitHub security advisories, Exploit-DB, vendor notifications, and official project announcements.
Here is the list of sources to look for Kubernetes vulnerabilities:
- CVE MITRE database
- Kubernetes official CVE feed
- Kubernetes security announcements Google Group
- CVE Details
- Github Security Advisories
Classification of Vulnerabilities Relevant to Kubernetes
Denial of Service
This vulnerability occurs when legitimate users or clients are unable to access the service or system due to the actions of a malicious threat actor. For example, let’s say someone is querying your Kubernetes API server concurrently with numerous requests; the API server might then become unresponsive to other legitimate requests.
Certain system weaknesses allow an attacker to gain unauthorized access inside the security perimeter. In Kubernetes, container escape is a common weakness, and when exploited, a hacker can gain access to the host with elevated privileges.
This is a broader term for a type of vulnerability that includes authentication bypass, execution code bypass, permission bypass, etc.
Often, a buffer overflow can happen due to bugs in the code such as poor handling of out-of-bounds memory buffers. It allows malicious actors to access the memory of other co-hosted processes and leak unwanted information.
Arbitrary Code Execution
Here, an attacker exploits a flaw in the code and uses it to execute arbitrary malignant code, often to gain elevated access, network access, or control of the host system.
Directory or File Traversal
With this vulnerability, a hacker can take advantage of a weakness in the code to traverse arbitrary files and directories on the host system or network.
2022 Main Vulnerabilities
CVE-2022-0811 – Container Escape Vulnerability in CRI-O Runtime (cr8escape)
This vulnerability in CRI-O, a container runtime used by Kubernetes, was disclosed by CrowdStrike security researchers earlier this year with a CVE score of 9.0 (critical). It lets a malicious actor with access create a pod in a Kubernetes cluster to set arbitrary kernel parameters on the host by abusing the kernel.core_pattern parameter. This vulnerability allows hackers to escape from the Kubernetes container and gain root access to the host, potentially enabling them to deploy malware, exfiltrate data, and achieve lateral movement in the cluster.
- Use policies to block unsafe access to kernel resources, such as Pod Security Admission Controllers, which have replaced Pod Security Policies from Kubernetes 1.25. You can also use third-party admission controllers like this one from Kyverno.
- Regularly scan and audit the cluster, and patch vulnerabilities as soon as patches are released.
CVE-2022-1708 – Node DOS by Way of Memory Exhaustion Through execSync Request
This is again a vulnerability in the CRI-O container runtime that causes memory or disk space exhaustion on the node, thus impacting system availability. It was given a CVE score of 7.5 (high). Whoever has access to Kubernetes API can invoke execSync, which runs a command or gets the log from the container synchronously. If the output of the command is very large, it may fill up the memory or disk and cause unavailability of the node or other co-hosted services.
CVE-2022-31030 is also similar to CVE-2022-1708, but CVE-2022-31030 is due to the containerd container runtime instead of CRI-O.
- Use the principle of least privilege to reduce the risk of attack. If you don’t give a privilege to run the “exec” command on the pod or give minimal privileges to the service account used by the applications interacting with the Kubernetes API server, the hacker won’t be able to exploit the vulnerability.
- Implement patches as soon as they are released.
CVE-2022-29165 – ArgoCD Authentication Bypass
This critical vulnerability with the highest score of 10.0 created panic for users of ArgoCD, a popular GitOps continuous delivery tool that is used to deploy applications on Kubernetes clusters. The vulnerability allows unauthenticated users to gain anonymous access, enabling them to impersonate any other user including admins by sending a specifically crafted JSON Web Token (JWT).
The exploitation was easy, as the attacker didn’t need any account in ArgoCD. By default, ArgoCD service accounts get a cluster-admin role, thus giving the attacker full access to the Kubernetes cluster.
- Disable anonymous access to ArgoCD.
- Follow the principle of least privilege for application service accounts.
- Keep critical component endpoints behind a secure perimeter to which only trusted people are granted access.
CVE-2022-24348 – A 0-Day Critical Vulnerability in ArgoCD
Another critical vulnerability in the ArgoCD project discovered at the start of the year, this one, if exploited, can leak sensitive information such as application credentials, API keys, and secrets from other applications. This 0-day vulnerability lets malicious actors bypass the directory traversal checks and gain access to other confidential information stored in ArgoCD. We have previously discussed this vulnerability in detail.
- Have a continuous scanning solution such as Kubescape to detect vulnerabilities.
- Implement patches as soon as they are released.
CVE-2022-23648 – Arbitrary Host File Access in Containerd
This vulnerability is found in the containerd versions 1.6.1, 1.5.10, and 1.14.12 and allows attackers to read the arbitrary host file. Thus, an attacker can read confidential files such as kubelet private keys and can access the Kubernetes API server/etcd database to exfiltrate information.
- Have a continuous scanning solution to detect vulnerabilities.
- Implement patches as soon as they are released.
CVE-2022-0185 – Linux Kernel Container Escape
A heap-based buffer overflow flaw in the File Context API in Linux can lead to out-of-bounds writes. A malicious actor with local access can then cause a denial of service attack or run arbitrary code on the host. To detect this vulnerability exposure in Kubernetes, you would need to find the pods with CAP_SYS_ADMIN capabilities. Learn more about CVE-2022-0185 here.
- Limit the container capabilities in Kubernetes deployments.
- Deploy a matured detection tool that can quickly discover you are exposed and alert you to mitigate the risk.
CVE-2022-39306 – Unauthorized access to arbitrary endpoints in Grafana codebase
Grafana Labs published a security advisory for a new critical vulnerability in its open-source product. The vulnerability, marked as CVE-2022-39328, enables attackers to bypass authorization on arbitrary service endpoints. This is a critical vulnerability which bypasses authentication. The fact that Grafana is used by ~50% of Kubernetes users in production makes this CVE especially worth noting.
- Grafana released a fix: version 9.2.4.
- Kubescape has developed a dedicated control – C-0090 – in the ARMOBest framework. It can verify whether your system has vulnerable Grafana versions that might be exploited by this CVE.
CVE-2022-47633: Kyverno’s container image signature verification can be bypassed by a malicious registry or proxy
Security researchers at ARMO have found a high-severity vulnerability in the Kyverno admission controller container image signature verification mechanism. The vulnerability enables an attacker who is either running a malicious container image registry or is able to act as a proxy between the registry and Kyverno, to inject unsigned images into the protected cluster, bypassing the image verification policy. The vulnerability was introduced in version 1.8.3 and was fixed in version 1.8.5. We recommend all Kyverno users update as soon as possible.
- Implement a policy that only allows trusted registries, which would prevent the malicious registry from being used.
- Use Kubescape to scan container image registries in order to make sure you’re not pulling malicious images.
- Kubescape has developed a dedicated control – C-0091– in the ARMOBest framework verifying if this CVE exists in your cluster. Please install or update to the latest Kubescape version from GitHub, or via the following command:
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash kubescape scan control C-0091
Below are some of the key takeaways from the vulnerabilities discussed.
Container escape is one of the most frequently exploited vulnerabilities in Kubernetes. Implementing security profiles such as AppArmor and SELinux, as well as pod security standards in your Kubernetes deployment can reduce exposure to attacks. You can also look into some guidance we shared earlier this year on how to secure a Kubernetes deployment.
Follow the principle of least privilege when assigning roles and privileges to your service accounts and users. This reduces the chance of an attacker getting excessive privileges on the cluster even if they have infiltrated it. Utilize the RBAC visualizer in the Kubescape portal to detect roles and actors with unnecessary permissions.
Use the defense in-depth technique to make it tougher for malicious actors to achieve lateral movement and exfiltrate data.
It is advisable to take frequent and continuous scans of your K8s manifest files, code repositories, and clusters to find vulnerabilities.
Establish a process to update the software packages on your Kubernetes clusters regularly. After disclosure of vulnerabilities, hackers try to exploit targets that are not patched almost immediately. One such example was the Log4J vulnerability, which was exploited 840,000 times in the first 72 hours.
Use container sandbox projects such as gVisor that can strengthen container boundaries and protect against container escape and privilege escalation by providing strong isolation in a multi-tenant system.
It is not always possible to completely avoid a vulnerability. This is due to software bugs and unidentified weaknesses in the code that have passed through the testing and review process.
But, what we can do is follow best practices to secure the platform and the software deployed on it to reduce the impact. We can also be more proactive in applying fixes by setting robust continuous deployment processes to patch vulnerabilities.
Kubescape scans your clusters to detect vulnerabilities and unearth security issues before attackers exploit them. Take a look at our demo page today and keep your 2023 more secure.