A bug in the Kubernetes platform has been disclosed this week by its developers. The bug has been marked as critical vulnerability with a 9.8 CVSS score and assigned the following CVE: CVE-2018-1002105.
The Github description of the vulnerability reads:
"With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection."
The exploitation method is as follows – An attacker may send a malformed HTTP Upgrade request to the Kubernetes API server. The request will be checked for authorization by the API server, and passed on to the API aggregation layer and from there to the underlying server.
Regardless of the successfulness of the Upgrade request, the connection will remain open between the API server and the underlying application server.
From this point, every subsequent request sent to the API server will be passed on directly to the underlying application server without any authorization enforcement by the API server.
This allows the attacker to send a wide variety of API calls using impersonated identities such as a system administrator.
Mitigation with ASM
ASM can detect malformed WebSocket requests on multiple layers.
Connections over web application protected by an ASM WebSocket profile will have to comply to RFC protocols.
In addition, ASM signatures can detect such malformed requests by using a simple HTTP profile.
An attack signature update that covers this vulnerability has been released.