CVE-2019-4415 IBM Cloud Private privilege escalation Jul 2019

Preface: Refer to market statistic on 2018, the growth in cloud revenues appear to be the strongest for Microsoft and weakest for IBM.

Vulnerability details: In IBM Cloud Private on OpenShift icp-scc SecurityContextContraints is erroneously assigned to all pods in all namespaces

Remedy: For IBM Cloud Private 3.1.1 or 3.1.2:

To resolve the issue, run the following kubectl commands on the master node:

  1. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “remove”, “path”: “/groups”}]’
  2. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “add”, “path”: “/users”, “value”: [“system:serviceaccount:kube-system:default”,”system:serviceaccount:istio-system:default”, “system:serviceaccount:icp-system:default”,”system:serviceaccount:cert-manager:default”] }]’

Reference:

The privileged SCC allows:

  • Users to run privileged pods
  • Pods to mount host directories as volumes
  • Pods to run as any user
  • Pods to run with any MCS label
  • Pods to use the host’s IPC namespace
  • Pods to use the host’s PID namespace
  • Pods to use any FSGroup
  • Pods to use any supplemental group
  • Pods to use any seccomp profiles
  • Pods to request any capabilities

The restricted SCC:

  • Ensures that pods cannot run as privileged.
  • Ensures that pods cannot mount host directory volumes.
  • Requires that a pod run as a user in a pre-allocated range of UIDs.
  • Requires that a pod run with a pre-allocated MCS label.
  • Allows pods to use any FSGroup.
  • Allows pods to use any supplemental group.

Supplement: CVE-2019-4439 – IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system.

Remedy – For IBM Cloud Private 3.1.2, apply patch: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build520356-23797&includeSupersedes=0