CVE-2024-36532: Insecure permissions in kruise v1.6.2 (21 June 2024)

Preface: CNCF (Cloud Native Computing Foundation) is the open source, vendor-neutral hub of cloud native computing, hosting projects like Kubernetes and Prometheus to make cloud native universal and sustainable.

Background: OpenKruise is a suite of extension components for Kubernetes that focuses on automated management of large-scale applications, such as deployment, upgrades, maintenance, and availability protection. Most of the functionality provided by OpenKruise is primarily built on CRD extensions.

Vulnerability details: Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account’s token.

  1. the attacker stole the token.
    Here is an example of stealing a token:in cncf, there is a project named hwameistor, and the DaemonSet hwameistor-local-disk-manager for that project has a cluster role named hwameistor-admin, which has the update/patch verb of nodes resource.If a malicious user takes control of a worker node, by default the “hwameistor-local-disk-manager” pod will run on that node and he/she can use that pod to patch/update other nodes and force kruise’s pod to run on the malicious worker node. Then, he/she can stole the token.
  2. Use the obtained token information to authenticate with the API Server. By including the token in the request, attacker can be recognized as a legitimate user with the ServiceAccount and gain all privileges associated with the ServiceAccount.
  3. Use the privileges to access all Secrets in the cluster.
  4. Use the sensitive information in the Secrets to elevate privileges and explore other sensitive resources, and eventually take over the entire cluster.

Official announcement: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36532

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.