Listen to this Post
The vulnerability CVE-2024-32867 in kcp stems from a missing validation function in the code handling virtual workspaces. Specifically, the `DefaultDynamicDelegatedStoreFuncs` does not call `rest.ValidateObjectUpdateFunc` when processing updates to `LogicalCluster` objects. This omission allows an attacker with access to the `initializingworkspaces` virtual workspace to send arbitrary PATCH requests to the status field of a `LogicalCluster` during its initialization phase. The Kubernetes API server, lacking the intended validation, accepts these malicious patches. Consequently, an attacker can manipulate the status by adding or removing initializers or even forcibly changing the cluster’s phase to “Ready”. This action can bypass critical initialization steps, such as security checks or billing integrations, that are enforced by initializers, leading to unauthorized access or skipped procedures.
Platform: kcp
Version: <0.28.3
Vulnerability : Missing Validation
Severity: Critical
date: 2024
Prediction: Patch available
What Undercode Say:
curl -X PATCH "https://kcp-api/apis/tenancy.kcp.io/v1alpha1/logicalclusters/workspace:root:myws/status" \
-H "Authorization: Bearer <TOKEN>" \
-H "Content-Type: application/merge-patch+json" \
-d '{
"status": {
"phase": "Ready",
"initializers": []
}
}'
// Vulnerable code path in storage wrapper
func DefaultDynamicDelegatedStoreFuncs() {
// ... other functions ...
UpdateFunc: func(ctx context.Context, name string, objInfo rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc, forceAllowCreate bool, options metav1.UpdateOptions) (runtime.Object, bool, error) {
// Missing call to updateValidation allows the bypass
return updatedObj, false, nil
},
}
How Exploit:
Attacker gains access to the initializingworkspaces virtual workspace. They then send a crafted PATCH request to a target LogicalCluster’s status endpoint during initialization. The request modifies the phase to “Ready” and clears all initializers, bypassing security and billing hooks.
Protection from this CVE:
Upgrade kcp to version 0.28.3 or later. Apply principle of least privilege by restricting ‘initialize’ verb on WorkspaceType objects. Only use trusted WorkspaceType definitions.
Impact:
Unauthorized skipping of critical initialization workflows (security, billing). Potential for complete bypass of cluster provisioning safeguards. Affects multi-tenant environments relying on initializers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
