« BackKubernetes Remote Code Execution via Nodes/Proxy Get Permissiongrahamhelton.comSubmitted by illithid0 3 days ago
  • klooney 2 days ago

    > nodes/proxy GET allows command execution when using a connection protocol such as WebSockets. This is due to the Kubelet making authorization decisions based on the initial WebSocket handshake’s request without verifying CREATE permissions are present for the Kubelet’s /exec endpoint requiring different permissions depending solely on the connection protocol.

    That's rough

    • kodama-lens 2 days ago

      It is a know problem. The strange part for me is that they fixed it in v1.35 with the FeatureGate AuthorizePodWebsocketUpgradeCreatePermission for pods but not for nodes which have a far greater attact vector. The author also references this:

      > The same behavior was fixed elsewhere

      It is a problem, but in order to exploit it you need a valid token and have public kubelet endpoints or need to compromise an service within the cluster that has the required RBAC permissions. So cluster admins can cat and check their RBAC

      • otterley 8 hours ago

        You don’t have to remotely compromise the service within the cluster. A supply-chain attack will do as well.

      • Cluelessidoit 13 hours ago

        This is what freaks me out about clawdbot/molbot (whatever it’s called now)