Listen to this Post
How CVE-2024-4323 Works
Kubetail’s dashboard exposes WebSocket endpoints that lack proper Origin header validation during the connection upgrade process. When a user has an active Kubetail session in their browser, visiting a malicious webpage initiates a WebSocket connection request to the victim’s dashboard (e.g., localhost:7500). The browser automatically includes any stored HTTP basic authentication credentials with the WebSocket handshake request. Without Origin header verification, the Kubetail server accepts WebSocket connections from any origin, including the attacker’s controlled webpage. This Cross-Site WebSocket Hijacking (CSWSH) allows the malicious webpage to open a WebSocket tunnel to the dashboard, bypassing the same-origin policy and streaming container logs the victim has permission to view. For desktop deployments, the dashboard’s predictable localhost URL makes exploitation trivial as the attacker guesses this address. For cluster deployments fronted with HTTP basic auth, the browser’s automatic credential re-sending on the WebSocket upgrade completes the attack, requiring only knowledge of the Ingress hostname. The vulnerability exists because the server does not check the `Origin` header against a whitelist of allowed origins before establishing the persistent WebSocket channel, effectively granting cross-origin read access to sensitive Kubernetes logs.
DailyCVE Form
Platform: Kubetail Dashboard
Version: 0.14.0 below
Vulnerability: Cross-origin WebSocket hijacking
Severity: Medium
Date: 2024-11-22
Prediction: Patch within weeks
What Undercode Say
Check Kubetail Dashboard version kubetail version Verify WebSocket Origin header validation is missing curl -i -H "Origin: https://attacker.com" -H "Connection: Upgrade" -H "Upgrade: websocket" http://localhost:7500/api/stream Monitor active Kubetail sessions on a network sudo tcpdump -i lo0 -A 'tcp port 7500' Test if dashboard accepts unauthorized WebSocket connections wscat -c ws://localhost:7500/api/stream?pod=my-pod --origin https://evil.com
Exploit
Attacker hosts a webpage containing JavaScript that opens a WebSocket to ws://localhost:7500/api/stream?pod=target-pod. The victim’s browser attaches any stored basic auth credentials. Once connected, the script reads incoming log lines and sends them to `https://attacker.com/exfiltrate`.
Protection from this CVE
Upgrade Kubetail Dashboard to v0.14.0 or later, Helm Chart to v0.23.0+, or CLI to v0.16.0+. If immediate upgrade impossible, stop the dashboard when not in use, avoid untrusted sites, restrict Ingress access via VPN, or deploy an OAuth proxy before basic auth.
Impact
Attacker gains read-only access to Kubernetes container logs visible to the victim, potentially exposing credentials, bearer tokens, PII, internal hostnames, and other secrets exfiltrated to attacker‑controlled servers. Desktop deployments are most exposed due to localhost reachability and ambient credential attachment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
