Preface: CNCF (Cloud Native Computing Foundation) is the open source, vendor-neutral hub of cloud native computing, hosting projects like Kubernetes and Prometheus to make cloud native universal and sustainable.
Background: OpenKruise is a suite of extension components for Kubernetes that focuses on automated management of large-scale applications, such as deployment, upgrades, maintenance, and availability protection. Most of the functionality provided by OpenKruise is primarily built on CRD extensions.
Vulnerability details: Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account’s token.
- the attacker stole the token.
Here is an example of stealing a token:in cncf, there is a project named hwameistor, and the DaemonSet hwameistor-local-disk-manager for that project has a cluster role named hwameistor-admin, which has theupdate/patch
verb ofnodes
resource.If a malicious user takes control of a worker node, by default the “hwameistor-local-disk-manager” pod will run on that node and he/she can use that pod to patch/update other nodes and force kruise’s pod to run on the malicious worker node. Then, he/she can stole the token. - Use the obtained token information to authenticate with the API Server. By including the token in the request, attacker can be recognized as a legitimate user with the ServiceAccount and gain all privileges associated with the ServiceAccount.
- Use the privileges to access all Secrets in the cluster.
- Use the sensitive information in the Secrets to elevate privileges and explore other sensitive resources, and eventually take over the entire cluster.
Official announcement: For detail, please refer to link – https://www.tenable.com/cve/CVE-2024-36532