
開源工具K8S初始由Google設計,乃是容器叢集管理系統,Kubernetes本意係舵手(希臘語),能管理Docker等建置的容器,經Darren Shepherd分析指出,其Kubernetes API server因權限配置瑕疵,處理惡意proxy request時,留下TCP連線,無論入侵者是否通過身分驗證,皆能利用既有TLS憑證作掩護,經由該連線接觸後台server,且隨意發送request,即使匿名人士也可擴權操作,達到顯示pod清單、執行指令、取得輸出結果等目的,本項漏洞之CVSS評分9.8,屬嚴重等級,不容輕忽。Linux Foundation已就各版Kubernetes公布升級軟體,唯Kubernetes 1.0.x-1.9.x系列舊版不在維護範圍,須規劃安裝新版,若作業環境無法立即更新,可調整設定,停止「群集API使用權、匿名帳號請求」等危險授權項目。
影響產品:
- Kubernetes 1.0.x-1.9.x
- Kubernetes 1.10.0-1.10.10
- Kubernetes 1.11.0-1.11.4
- Kubernetes 1.12.0-1.12.2
解決辦法:
- Kubernetes 1.10.11,由https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.10.md/#v11011下載。
- Kubernetes 1.11.5,由https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md/#v1115下載。
- Kubernetes 1.12.3,由https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md/#v1123下載。
- Kubernetes 1.13.0-rc.1,由https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md/#v1130-rc1下載。
- 因Kubernetes 1.0.x-1.9.x不再後續維護,請考慮其它版本。
資料來源:
- https://asciinema.org/a/kubSrehAf14K7MQ9aZw2RpCYd
- https://meterpreter.org/kubernetes-were-patched-to-fix-the-privilege-escalation-vulnerability/?cn-reloaded=1
- https://github.com/kubernetes/kubernetes/issues/71411
- https://groups.google.com/forum/#
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002105
- https://asciinema.org/a/TjbO5p1JJN0dnNSSWhrcopn9e
- https://github.com/evict/poc_CVE-2018-1002105
- https://access.redhat.com/errata/RHSA-2018:3754
- https://zh.wikipedia.org/wiki/Kubernetes
- https://www.mile.cloud/zh-hant/cloudmilexgcpug-kubernetes/
- https://medium.com/@evenchange4/%25E4%25BA%2594%25E5%2588%2586%25E9%2590%2598-kubernetes-%25E6%259C%2589%25E6%2584%259F-e51f093cb10b
- https://kknews.cc/zh-tw/tech/59a95b6.html
- https://kubernetes.io/
- https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.10.md/#v11011
- https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.10.md/#v1115
- https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.10.md/#v1123
- https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.10.md/#v1130-rc1