CVE-2024-43403: Kanister Vulnerability Opens Door to Cluster-Level Privilege Escalation

by do son · August 21, 2024

A critical vulnerability in the popular data protection workflow management tool, Kanister, has been discovered, potentially allowing attackers to gain full control over Kubernetes clusters. The vulnerability, identified as CVE-2024-43403, was uncovered by Nanzi Yang, a PostDoc at UMN.

The core of the issue lies within the default-kanister-operator deployment, which is associated with a Kubernetes ClusterRole known as “edit.” This ClusterRole, which is one of Kubernetes’ default roles, is configured with permissions that include the ability to create, patch, and update daemonset resources, create service account tokens, and impersonate service accounts.

If a malicious user gains access to a worker node hosting the default-kanister-operator, they could exploit this vulnerability in several ways:

Daemonset Resource Manipulation: By leveraging the create, patch, and update verbs on daemonset resources, an attacker could create or modify a set of Pods to mount a high-privilege service account, such as the cluster-admin service account. This would allow the attacker to use the service account token to gain control over the entire cluster.
Service Account Token Creation: The edit ClusterRole also allows the creation of service account tokens. A malicious actor could generate new tokens with high-privilege roles and use them to manipulate any resources within the cluster, further escalating their control.
Impersonation of High-Privilege Accounts: With the ability to impersonate service accounts, an attacker could assume the identity of high-privilege accounts like cluster-admin. This would grant them full access to perform actions such as creating, modifying, or deleting critical resources within the Kubernetes environment.

The potential impact of CVE-2024-43403 is severe, as it could enable a complete takeover of a Kubernetes cluster if left unaddressed. The ability to escalate privileges from a worker node to a cluster-wide scope poses a significant threat to the integrity and security of Kubernetes environments relying on Kanister.

The Kanister project has issued a security advisory urging users to update to the latest version, which includes a fix for this vulnerability. It’s crucial for organizations using Kanister to apply the update immediately to protect their Kubernetes environments from potential attacks.