Skip to content

CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem #60813

New issue
New issue
Closed
#61044
Closed
CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem#60813
#61044
Assignees
liggittjsafranemsau42
Labels
area/securitykind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)priority/critical-urgentHighest priority. Must be actively worked on as someone's top priority right now.sig/storageCategorizes an issue or PR as relevant to SIG Storage.
Milestone
 
v1.10
@liggitt

Description

@liggitt
liggitt
opened on Mar 5, 2018

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

This vulnerability allows containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) to access files/directories outside of the volume, including the host’s filesystem.

Thanks to Maxim Ivanov for reporting this problem.

Vulnerable versions:

  • Kubernetes 1.3.x-1.6.x
  • Kubernetes 1.7.0-1.7.13
  • Kubernetes 1.8.0-1.8.8
  • Kubernetes 1.9.0-1.9.3

Vulnerable configurations:

  • Clusters that allow untrusted users to control pod spec content, and prevent host filesystem access via hostPath volumes (or other volume types) using PodSecurityPolicy (or custom admission plugins)
  • Clusters that make use of subpath volume mounts with untrusted containers or containers that can be compromised

Vulnerability impact:
A specially crafted pod spec combined with malicious container behavior can allow read/write access to arbitrary files outside volumes specified in the pod, including the host’s filesystem. This can be accomplished with any volume type, including emptyDir, and can be accomplished with a non-privileged pod (subject to file permissions).

Mitigations prior to upgrading:
Prevent untrusted users from creating pods (and pod-creating objects like deployments, replicasets, etc), or disable all volume types with PodSecurityPolicy (note that this prevents use of service account tokens in pods, and requires use of automountServiceAccountToken: false)

Fixed versions:

Action Required:
In addition to upgrading, PodSecurityPolicy objects designed to limit container permissions must completely disable hostPath volumes, as the allowedHostPaths feature does not restrict symlink creation and traversal. Future enhancements (tracked in issue #61043) are required to limit hostPath use to read only volumes or exact path matches before a PodSecurityPolicy can effectively restrict hostPath usage to a given subpath.

Known issues:

Metadata

Metadata

Assignees

Labels

area/securitykind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)priority/critical-urgentHighest priority. Must be actively worked on as someone's top priority right now.sig/storageCategorizes an issue or PR as relevant to SIG Storage.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions