Kubernetes, which offers a container orchestration system widely used by DevOps practitioners, announced the discovery of CVE-2019-11246, a high-severity vulnerability affecting the command-line interface kubectl,during an ongoing third-party security audit. Exploitation of this vulnerability could lead to a directory traversal — allowing an attacker to use a malicious container to create or replace files in a user’s workstation.
Incidentally, the new flaw emerged due to incomplete updates for CVE-2019-1002101, a related vulnerability which was disclosed back in March.
The details of CVE-2019-11246 are similar to the previously-patched CVE-2019-1002101. However, due to the incomplete nature of the update, some flaws remained, resulting in the discovery of the new exploit method.
CVE-2019-11246 specifically involves kubectl cp, the command responsible for copying files between containers and user machines. As part of its copying routine, Kubernetes creates an archive by running a tar binary inside the container. It will then copy the binary over the network, after which it will be unpacked on the user’s machine by kubectl.
An attacker could exploit this by using a malicious tar binary to write files to any path on the target machine whenever kubectl cp is called. This could result in the adding of malicious files or overwriting of existing ones to compromise the environment.
CVE-2019-11246 is a client-side vulnerability, and thus requires user interaction to be exploited.
Users can check whether their client version is vulnerable to the bug by running kubectl version --client. Client versions older than 1.12.9, 1.13.6, and 1.14.2 are vulnerable. Users should update their clients at the soonest possible time.
Best practices to defend against possible attacks that exploit CVE-2019-11246
To protect enterprise resources from attackers aiming to take advantage of vulnerabilities such as CVE-2019-11246, organizations should implement the following best practices:
Apply updates as soon as they are available to lessen the likelihood of an exploitation attack. This applies not only to container machines but to all software programs in general.
Avoid running containers using root privileges and instead only use them as application users. This is especially applicable in this situation given that CVE-2019-11246 is a client-side vulnerability. By limiting access to the entire cluster, the possibility of user errors could result in vulnerability exploitation is minimized.