Kubernetes Remote Code Execution via Nodes/Proxy Get Permission (opens in new tab)

(grahamhelton.com)

55 pointsillithid01mo ago4 comments

4 comments

> nodes/proxy GET allows command execution when using a connection protocol such as WebSockets. This is due to the Kubelet making authorization decisions based on the initial WebSocket handshake’s request without verifying CREATE permissions are present for the Kubelet’s /exec endpoint requiring different permissions depending solely on the connection protocol.

That's rough

kodama-lens1mo ago

It is a know problem. The strange part for me is that they fixed it in v1.35 with the FeatureGate AuthorizePodWebsocketUpgradeCreatePermission for pods but not for nodes which have a far greater attact vector. The author also references this:

> The same behavior was fixed elsewhere

It is a problem, but in order to exploit it you need a valid token and have public kubelet endpoints or need to compromise an service within the cluster that has the required RBAC permissions. So cluster admins can cat and check their RBAC

otterley1mo ago

You don’t have to remotely compromise the service within the cluster. A supply-chain attack will do as well.

Cluelessidoit1mo ago

This is what freaks me out about clawdbot/molbot (whatever it’s called now)

j / k navigate · click thread line to collapse