Kubernetes Vulnerability CVE-2019-11246 Discovered Due to Incomplete Updates from a Previous Flaw


Kubernetes, which offers a container orchestration system widely used by DevOps practitioners, announced the discovery of CVE-2019-11246, a high-severity vulnerability affecting the command-line interface kubectl,during an ongoing third-party security auditExploitation of this vulnerability could lead to a directory traversal — allowing an attacker to use a malicious container to create or replace files in a user’s workstation.

Incidentally, the new flaw emerged due to incomplete updates for CVE-2019-1002101, a related vulnerability which was disclosed back in March.

[ReadPreviously Patched, Still Potentially Critical: Kubernetes’ Path Traversal Vulnerability]

The details of CVE-2019-11246 are similar to the previously-patched CVE-2019-1002101. However, due to the incomplete nature of the update, some flaws remained, resulting in the discovery of the new exploit method.

CVE-2019-11246 specifically involves kubectl cp, the command responsible for copying files between containers and user machines. As part of its copying routine, Kubernetes creates an archive by running a tar binary inside the container. It will then copy the binary over the network, after which it will be unpacked on the user’s machine by kubectl.

An attacker could exploit this by using a malicious tar binary to write files to any path on the target machine whenever kubectl cp is called. This could result in the adding of malicious files or overwriting of existing ones to compromise the environment.

CVE-2019-11246 is a client-side vulnerability, and thus requires user interaction to be exploited.

[Read: Container Security: Examining Potential Threats to the Container Environment]

Users can check whether their client version is vulnerable to the bug by running kubectl version --client. Client versions older than 1.12.9, 1.13.6, and 1.14.2 are vulnerable. Users should update their clients at the soonest possible time.

Best practices to defend against possible attacks that exploit CVE-2019-11246

To protect enterprise resources from attackers aiming to take advantage of vulnerabilities such as CVE-2019-11246, organizations should implement the following best practices:

  • Apply updates as soon as they are available to lessen the likelihood of an exploitation attack. This applies not only to container machines but to all software programs in general.

  • Avoid running containers using root privileges and instead only use them as application users. This is especially applicable in this situation given that CVE-2019-11246 is a client-side vulnerability. By limiting access to the entire cluster, the possibility of user errors could result in vulnerability exploitation is minimized.

Dave Safley

Technology King Pin ;) 

Real Time Web Analytics