Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-1000056: PodSecurityPolicy admission plugin authorizes incorrectly #43459

Closed
liggitt opened this issue Mar 21, 2017 · 3 comments · Fixed by #43489
Closed

CVE-2017-1000056: PodSecurityPolicy admission plugin authorizes incorrectly #43459

liggitt opened this issue Mar 21, 2017 · 3 comments · Fixed by #43489
Assignees
@liggitt
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Milestone
v1.6

Comments

@liggitt
Copy link
Member

liggitt commented Mar 21, 2017
edited

A PodSecurityPolicy admission plugin vulnerability allows users to make use of any PodSecurityPolicy object, even ones they are not authorized to use.

CVE: CVE-2017-1000056

Who is affected?
Only Kubernetes 1.5.0-1.5.4 installations that do all of the following:

  • Enable the PodSecurityPolicy API (which is not enabled by default):
    --runtime-config=extensions/v1beta1/podsecuritypolicy=true
  • Enable the PodSecurityPolicy admission plugin (which is not enabled by default):
    --admission-control=...,PodSecurityPolicy,...
  • Use authorization to limit users' ability to use specific PodSecurityPolicy objects

kubeadm and GKE do not allow enabling PodSecurityPolicy in 1.5, so are not affected by this vulnerability.

kube-up.sh and kops do not enable PodSecurityPolicy by default, so are not affected by this vulnerability. A modified kube-up.sh or kops deployment could have enabled it.

What is the impact?
A user that is authorized to create pods can make use of any existing PodSecurityPolicy, even ones they are not authorized to use.

How can I mitigate this prior to installing 1.5.5?

  1. Export existing PodSecurityPolicy objects:
    kubectl get podsecuritypolicies -o yaml > psp.yaml

  2. Review and delete any PodSecurityPolicy objects you do not want all pod-creating users to be able to use (NOTE: Privileged users that were making use of those policies will also lose access to those policies). For example:
    kubectl delete podsecuritypolicies/my-privileged-policy

  3. After upgrading to 1.5.5, re-create the exported PodSecurityPolicy objects:
    kubectl create -f psp.yaml
@liggitt liggitt self-assigned this Mar 21, 2017
@liggitt liggitt changed the title placeholder PodSecurityPolicy admission plugin authorizes incorrectly Mar 22, 2017
@liggitt liggitt mentioned this issue Mar 22, 2017
Merged
@liggitt liggitt added area/security kind/bug Categorizes issue or PR as related to a bug. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Mar 22, 2017
@liggitt liggitt added this to the v1.6 milestone Mar 22, 2017
k8s-github-robot pushed a commit that referenced this issue Mar 22, 2017
Merge pull request #43489 from liggitt/20170302-psp-authz
6f9074f 
Automatic merge from submit-queue (batch tested with PRs 43492, 43489)

Authorize PSP usage for pods without service accounts

Fixes #43459

```release-note
PodSecurityPolicy authorization is correctly enforced by the PodSecurityPolicy admission plugin.
```
@cjcullen
Copy link
Member

Kubeadm and GKE do not allow enabling PodSecurityPolicy in 1.5, so are not affected by this.

Kube-up.sh and kops do not enable PodSecurityPolicy by default. A modified kube-up.sh or kops deployment could have enabled it.

@liggitt liggitt changed the title PodSecurityPolicy admission plugin authorizes incorrectly CVE-2017-1000056: PodSecurityPolicy admission plugin authorizes incorrectly Jun 22, 2017
@b0b0haha
Copy link

b0b0haha commented May 13, 2021
edited

Could you please give an example show how an attacker can create a pod without serviceaccounts?

@PushkarJ
Copy link
Member

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label May 16, 2022
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@liggitt liggitt

Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Milestone
v1.6
Development

Successfully merging a pull request may close this issue.

Authorize PSP usage for pods without service accounts liggitt/kubernetes
5 participants
@liggitt @PushkarJ @cjcullen @k8s-ci-robot @b0b0haha