Inspektor Gadget versions 0.31.0 to 0.40.0 contain a vulnerability where security policies (allowed-gadgets, disallow-pulling, verify-image) can be bypassed by a malicious client. The exploit occurs when an attacker with access to the server (via TLS certificates in `ig daemon` mode or Kubernetes cluster access) manipulates requests to circumvent policy enforcement. This allows unauthorized gadget execution, image pulls, or unverified image deployments. The flaw stems from insufficient validation of client-supplied parameters, enabling policy checks to be skipped under specific conditions.
DailyCVE Form:
Platform: Inspektor Gadget
Version: 0.31.0-0.40.0
Vulnerability: Policy Bypass
Severity: Moderate
Date: May 6, 2025
What Undercode Say:
Exploit:
1. Kubernetes Cluster Access:
kubectl exec -it <pod> -- curl -X POST --insecure <ig-server>/bypass-policy
2. TLS Certificate Abuse:
openssl s_client -connect <ig-server>:443 -cert malicious.pem -key malicious.key
Mitigation:
1. Patch: Upgrade to v0.40.0:
kubectl apply -f https://ig-update/0.40.0/manifest.yaml
2. Network Policies:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-ig
spec:
podSelector:
matchLabels: {app: inspektor-gadget}
ingress:
- from: [{namespaceSelector: {matchLabels: {role: trusted}}}]
3. Log Monitoring:
journalctl -u ig-daemon --grep "policy violation" --since "1 hour ago"
Detection:
1. Audit Logs:
kubectl logs -l app=inspektor-gadget --tail=100 | grep -i "unauthorized"
2. Image Verification:
ig verify-image --strict <image>
References:
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- Patch Commit: `git clone https://github.com/inspektor-gadget/[email protected]`
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
