How the CVE Works:
The vulnerability in the Bare Metal Operator (BMO) for Kubernetes allows an adversary with namespace-level permissions to exploit the cluster-scoped privileges of the BMO controller. By creating a `BMCEventSubscription` (BMCES) resource in their authorized namespace, the attacker can reference and load Secrets from unauthorized namespaces. This is possible because the BMO controller, which has cluster-wide access, does not enforce namespace restrictions when retrieving Secrets referenced in the BMCES resource. As a result, sensitive information from other namespaces can be leaked into the attacker’s namespace, leading to a potential compromise of the Kubernetes cluster.
The issue stems from the BMO’s failure to validate the namespace of the referenced Secrets during the creation or deployment of BMCES resources. This oversight allows the BMO controller to access and retrieve Secrets from any namespace, regardless of the user’s permissions. The vulnerability affects all versions of BMO prior to v0.8.1 and v0.9.1, where stricter validation and namespace restrictions have been implemented.
DailyCVE Form:
Platform: Kubernetes
Version: Bare Metal Operator (BMO)
Vulnerability: Secret Leakage
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
1. Exploit Command:
An attacker can create a malicious `BMCEventSubscription` resource in their namespace to reference Secrets from other namespaces:
apiVersion: metal3.io/v1alpha1 kind: BMCEventSubscription metadata: name: malicious-bmces namespace: attacker-namespace spec: httpHeadersRef: name: target-secret namespace: victim-namespace
2. Exploit Impact:
The BMO controller retrieves the referenced Secret (target-secret) from `victim-namespace` and makes it accessible in attacker-namespace.
Protection:
1. Patch Upgrade:
Upgrade to BMO versions v0.8.1 or v0.9.1, which enforce namespace validation for Secrets referenced in BMCES resources.
2. RBAC Configuration:
Restrict BMO’s cluster-scoped privileges by configuring RBAC to be namespace-scoped:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: bmo-namespace-scoped namespace: target-namespace roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: bmo-role subjects: - kind: ServiceAccount name: bmo-service-account namespace: target-namespace
3. Namespace Limitation:
Use the `WATCH_NAMESPACE` environment variable to restrict BMO to a single namespace:
export WATCH_NAMESPACE="target-namespace"
4. Secret Migration:
Before upgrading, duplicate Secrets referenced in BMCES resources to the same namespace as the corresponding Bare Metal Host (BMH):
kubectl get secret target-secret -n victim-namespace -o yaml | sed 's/namespace: victim-namespace/namespace: target-namespace/' | kubectl apply -f -
5. Admission Control:
Implement admission controllers to validate BMCES resources and reject requests referencing Secrets from unauthorized namespaces.
6. Monitoring:
Set up alerts for unauthorized BMCES resource creation or Secret access attempts:
kubectl get events --field-selector involvedObject.kind=BMCEventSubscription -A
7. Audit Logs:
Regularly review Kubernetes audit logs for suspicious activity related to BMCES resources:
kubectl logs -n metal3-system -l app=baremetal-operator
By following these steps, Kubernetes administrators can mitigate the risk of Secret leakage and protect their clusters from exploitation.
References:
Reported By: https://github.com/advisories/GHSA-c98h-7hp9-v9hq
Extra Source Hub:
Undercode
