Listen to this Post
How the CVE Works
The vulnerability in Fleet arises due to improper SSH certificate validation. By default, Fleet trusts remote server certificates during SSH connections if they are absent in the `known_hosts` file, making it susceptible to MitM attacks. Attackers can intercept and manipulate communications between Fleet and Git repositories, leading to unauthorized code execution or data theft. The flaw affects versions before v0.10.12, v0.11.7, and v0.12.2, where the system fails to enforce strict host key verification unless explicitly configured.
DailyCVE Form
Platform: Fleet
Version: < v0.10.12
Vulnerability: MitM via SSH
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
- Intercept SSH Traffic: Use tools like `sshmitm` to spoof Git server certificates.
sshmitm -H <target_git_server> -p 22
- Poison known_hosts: If Fleet lacks
known_hosts, inject malicious keys.echo "<malicious_key>" >> ~/.ssh/known_hosts
- Exploit Fleet Workflow: Trigger Git operations (e.g.,
fleet apply) to execute arbitrary code.
Protection:
1. Upgrade Fleet:
helm upgrade fleet --version 0.12.2
2. Enforce known_hosts:
kubectl create configmap known-hosts --from-file=known_hosts=/path/to/known_hosts
3. Strict Host Checking:
fleet.yaml gitops: strictHostKeyChecking: true
4. Network Controls:
iptables -A OUTPUT -p tcp --dport 22 -j DROP
Detection:
- Audit Logs:
kubectl logs -l app=fleet-controller | grep "SSH host key"
- Monitor SSH Handshakes:
tcpdump -i eth0 'port 22 and host <git_server>'
Static Analysis:
- Check Fleet Config:
grep -r "strictHostKeyChecking" /etc/fleet/
- Verify known_hosts:
stat ~/.ssh/known_hosts
Mitre ATT&CK Mapping:
- Tactic: TA0008 (Lateral Movement)
- Technique: T1557 (Adversary-in-the-Middle)
References:
No additional commentary beyond the rules provided.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
