A recently discovered flaw in the Kubernetes orchestration manager can enable any authorized user to gain administrative privileges that could be used to steal data or bring down production applications. The same vulnerability can also be exploited by unauthorized users to inject malicious code.

The flaw, which affects versions of Kubernetes higher than 1.10 and higher, was publicly disclosed on GitHub a week ago. Red Hat Inc. today posted details on its customer portal and labeled the vulnerability “critical” based on the ease with which it can be exploited. The bug also affects Red Hat OpenShift, which is the company’s version of Kubernetes.

A patch has been issued, and any organization that has automatic updates turned on should already be protected. However, there is no way to know what percentage of Kubernetes users use automatic updates. Large enterprises often test patches before applying them, and so would likely have the option turned off.

Kubernetes orchestrates collections of software containers, which are small, portable virtual machines that are increasingly popular as the building blocks for modern services-based applications. Released to open source just four years ago, Kubernetes is already been adopted by more than 70 percent of enterprises, according to 451 Research LLC.

Red Hat said a malicious user can exploit the flaw either by abusing pod exec privileges granted to a normal user or by attacking the application program interface extensions feature, which provides the service catalog and access to additional features in Kubernetes. The service catalog enables applications running in Kubernetes clusters to easily use external software. A pod is a group of containers that are deployed together on the same host.

With elevated privileges gained through the first exploit, an authenticated attacker can “access any container running on the same node as their pod, allowing them access to sensitive workloads, data and even production applications,” Red Hat said in an advisory.

The second exploit method enables even an unauthenticated user to gain administrative privileges and to create managed services, which could include malicious code.

“There is no simple way to detect whether this vulnerability has been used,” Jordan Liggitt, a staff software engineer at Google LLC, wrote on the GitHub post. “Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log.”

Image: Pixabay