First major Kubernetes flaw enables hackers to access backend servers undetected
Researchers have uncovered the first known security flaw in Kubernetes, a popular open-source tool for managing application workloads.
Developers published three security updates this week that promised to protect users of Kubernetes, a containerized application system, from a new vulnerability that could make it possible for hackers to inject malicious code or bring down an app from behind an organization’s firewall. Kubernetes runs on top of operating systems, taking commands from an administrator or developer and passing those instructions to nodes throughout an environment.
This bug, the first major issue found in Kubernetes, warranted a 9.8 out of 10 severity score on because it could allow outsiders to establish a connection through Kubernetes’ trusted-application program interface to backend servers, ZDNet reported.
From there, hackers can use that authentication to send arbitrary or malicious requests disguised under valid Kubernetes credentials, using that access to gain full administrator privileges. Exploiting the flaw requires low difficult and does not require direct user interaction.
“There is no simple way to detect whether this vulnerability has been used,” reads the GitHub post where the vulnerability was first announced last week. “Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. … In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.”
Kubernetes can be used as a container platform, a microservices platform or as a portable cloud platform that also facilitates automation, according to its website. It also can be used to orchestrate computing, networking and storage infrastructure on behalf of developers’ workloads.
Google senior staff engineer Jordan Liggitt said in an update to the GitHub post Monday that Kubernetes version v1.10.111, v1.11.5 and v1.12.3 now are available to fix the vulnerability, known as CVE-2018-1002195.
Kubernetes first was designed by Google and now is maintained by the nonprofit Cloud Native Computing Foundation.