Kyverno, Policy Bypass, CVE-2023-XXXX (Critical)

By /

How the CVE Works

The vulnerability stems from missing error propagation in `GetNamespaceSelectorsFromNamespaceLister` within pkg/utils/engine/labels.go. When Kyverno processes admission requests, it checks namespace selectors to enforce policies. If the namespace lister fails (e.g., due to delayed cache updates), the function returns an empty label map instead of propagating the error. This causes Kyverno to skip policy enforcement, allowing unauthorized Kubernetes API requests to bypass security-critical mutations and validations. Attackers exploiting this flaw can manipulate resources in namespaces supposedly protected by Kyverno policies.

DailyCVE Form

Platform: Kubernetes
Version: Kyverno <1.10.2
Vulnerability: Policy Bypass
Severity: Critical
Date: 2023-XX-XX

What Undercode Say:

Exploitation:

  1. API Load Attack: Overwhelm the Kubernetes API server to delay cache updates, triggering the bug. 
    kubectl create ns test-bypass --dry-run=client -o yaml | kubectl apply -f -
  2. Race Condition: Rapidly create namespaces and resources before Kyverno syncs. 
    for i in {1..100}; do kubectl create ns exploit-$i && kubectl apply -f malicious-pod.yaml -n exploit-$i; done

Detection:

1. Check Kyverno logs for skipped namespace errors:

kubectl logs -l app=kyverno -n kyverno | grep "empty namespace labels"

2. Audit policies with namespace selectors:

kubectl get clusterpolicies -o yaml | grep "namespaceSelector"

Mitigation:

1. Patch Kyverno: Upgrade to v1.10.2+.

helm upgrade kyverno kyverno/kyverno --version v1.10.2

2. Enforce Fail Policy: Ensure policies use failurePolicy: Fail.

failurePolicy: Fail

3. Fallback API Check: Modify Kyverno to directly fetch namespaces if cache fails.

ns, err := client.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})

References:

Analytics:

  • Attack Surface: High (K8s API access required).
  • Exploit Complexity: Medium (race condition dependent).
  • Patch Urgency: Critical (bypasses core security controls).

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top