HackDig : Dig high-quality web security articles for hackers

Understanding and mitigating CVE-2020-8563: vSphere credentials leak in the cloud-controller-manager log

2020-10-16 11:06

While auditing the Kubernetes source code, I recently discovered an issue (CVE-2020-8563) in Kubernetes that may cause sensitive data leakage.

When creating a k8s cluster over vSphere, and enabling vSphere as a cloud provider with logging level set to 4 or above, the vSphere user credentials will be included in the cloud-controller-manager‘s log.

In this article you’ll understand this issue, what parts of Kubernetes are affected, and how to mitigate it.

Preliminary

Let’s start by listing the Kubernetes components that either cause, or are impacted by the issue.

  • Kube-controller-manager: The Kubernetes controller manager is a combination of the core controllers that watch for state updates, and make changes to the cluster accordingly. The controllers that currently ship with Kubernetes include:
    • Replication controller: Maintains the correct number of pods on the system, for replicating controller objects.
    • Node controller: Monitors the changes of the nodes.
    • Endpoints controller: Populates the endpoint object, which is responsible for joining the service object and pod object.
    • Service accounts and token controller: Manages service accounts and tokens for namespaces.
  • Cloud-controller-manager: Introduced in v1.6, it runs controllers to interact with the underlying cloud providers. This is an attempt to decouple the cloud vendor code from the Kubernetes code.
  • Informer/SharedInformer: The key component of a controller. They watch for changes on the current state of Kubernetes objects and send events to a Workqueue, where events are then popped up by worker(s) to be processed.
  • Secret: Kubernetes Secrets let you store and manage sensitive information, such as passwords, OAuth tokens, and ssh keys. Storing confidential information in a Secret is safer and more flexible than putting it verbatim in a Pod definition or in a container image.

The CVE-2020-8563 issue

The issue, CVE-2020-8563, is that: If you have a Kubernetes cluster running on vSphere, and its logging level is set to 4 or above, the vSphere credentials will be logged by cloud-controller-manager.

This section walks through the relevant code paths of Kubernetes, to explain what went wrong.

In the Kubernetes source code, you will find a folder called “legacy-cloud-providers”. It contains the legacy code for the cloud controllers: AWS, Azure, GCE, OpenStack and vSphere. Although they are deprecated, and will be removed in the future, they are still used until today. For example, if you use kops to create a Kubernetes cluster on AWS, you will find the following WARNING message about the cloud provider deprecation:

W0831 22:04:04.653364       1 plugins.go:115] WARNING: aws built-in cloud provider is now deprecated. The AWS provider is deprecated and will be removed in a future release

As the warning reveals, you are most likely using the legacy cloud provider.

The credentials are leaked when cloud-controller-manager starts. So let’s follow the execution to find the lines that are actually logging them.

When cloud-controller-manager starts, it also starts a bunch of controllers. While doing so, it also setups an informer on the user cloud object:

// startControllers start the cloud specific controller loops.
func startControllers(c *cloudcontrollerconfig.CompletedConfig, stopCh <-chan struct{}, cloud cloudprovider.Interface, controllers map[string]initFunc) error {
	// Initialize the cloud provider with a reference to the clientBuilder
	cloud.Initialize(c.ClientBuilder, stopCh)
	// Set the informer on the user cloud object
	if informerUserCloud, ok := cloud.(cloudprovider.InformerUser); ok {
		informerUserCloud.SetInformers(c.SharedInformers)
	}
	for controllerName, initFn := range controllers {
		if !genericcontrollermanager.IsControllerEnabled(controllerName, ControllersDisabledByDefault, c.ComponentConfig.Generic.Controllers) {
			klog.Warningf("%q is disabled", controllerName)
			continue
		}
		klog.V(1).Infof("Starting %q", controllerName)
		_, started, err := initFn(c, cloud, stopCh)
		if err != nil {
			klog.Errorf("Error starting %q", controllerName)
			return err
		}
			klog.Warningf("Skipping %q", controllerName)
			continue
		}
		klog.Infof("Started %q", controllerName)
...

The InformerUser is actually an interface:

type InformerUser interface {
  // SetInformers sets the informer on the cloud object.
  SetInformers(informerFactory informers.SharedInformerFactory)
}

Each cloud provider has its own implementation. If you look for the SetInformers function, you’ll find that each cloud provider AWS, Azure, GCE and vSphere implements it:

Below is the vSphere’s implementation:

// Initialize Node Informers
func (vs *VSphere) SetInformers(informerFactory informers.SharedInformerFactory) {
	if vs.cfg == nil {
		return
	}
	if vs.isSecretInfoProvided {
		secretCredentialManager := &SecretCredentialManager{
			SecretName:      vs.cfg.Global.SecretName,
			SecretNamespace: vs.cfg.Global.SecretNamespace,
			SecretLister:    informerFactory.Core().V1().Secrets().Lister(),
			Cache: &SecretCache{
				VirtualCenter: make(map[string]*Credential),
			},
		}
		if vs.isSecretManaged {
			klog.V(4).Infof("Setting up secret informers for vSphere Cloud Provider")
			secretInformer := informerFactory.Core().V1().Secrets().Informer()
			secretInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
				AddFunc:    vs.SecretAdded,
				UpdateFunc: vs.SecretUpdated,
			})
			klog.V(4).Infof("Secret informers in vSphere cloud provider initialized")
		}
...

According to the code, if the attributes “secret-name” and “secret-namespace” are specified in the vsphere.conf file, the condition “vs.isSecretInfoProvided” returns true.

There is another undocumented attribute “secret-not-managed” that can be configured in the vsphere.conf file. By default this attribute was false, so the condition “vs.isSecretManaged” always returns true.

As a consequence, there will always be a secret informer to handle events like creating and updating secrets.

We are getting close to the source of the issue…

In the “SecretAdded” function, we find the following:

// Notification handler when credentials secret is added.
func (vs *VSphere) SecretAdded(obj interface{}) {
  secret, ok := obj.(*v1.Secret)
  if secret == nil || !ok {
     klog.Warningf("Unrecognized secret object %T", obj)
     return
  }
  if secret.Name != vs.cfg.Global.SecretName ||
     secret.Namespace != vs.cfg.Global.SecretNamespace {
     return
  }
  klog.V(4).Infof("secret added: %+v", obj)
  vs.refreshNodesForSecretChange()
}

The “obj” variable contains all the information of the secret, including metadata like: secret name, namespace, and actual secret data.

This includes the vSphere credentials from the vsphere.conf file. The secret that matches the vsphere secret name and namespace will be logged as follows:

secret added: &Secret{ObjectMeta:{vsphere-secret  kube-system /api/v1/namespaces/kube-system/secrets/vsphere-secret 97345a64-db69-4adb-9444-e00e7345fd46 737933 0 2020-09-03 11:20:30 -0700 PDT <nil> <nil> map[] map[kubectl.kubernetes.io/last-applied-configuration:{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{},"name":"vsphere-secret","namespace":"kube-system"},"stringData":{"vsphere.conf":"username: administrator@vsphere.localnpassword: password"},"type":"Opaque"}

Further investigation shows that the same also happens inside the “SecretUpdated” function.

Impact of CVE-2020-8563

According to the CVSS system, it scores 5.6 as medium severity.

This takes into account that, in order to make the secret leak happen, the attacker needs to find a way to set the log level of cloud-controller-manager to 4 or above. As the exploit requires privileges to access to the node where the component resides, the severity is just medium.

However, what if the log level of cloud-controller-manager was set to 4 or above in the beginning? For example, kubeadm was used to increase log verbosity to assist a troubleshoot.

Then the severity of this CVE score increases to 7.7 as high severity:

In this case there’s no need for special access. Everyone with access to the cloud-provider-controller’s log is able to view the secrets.

To summarize, the impacted Kubernetes clusters have the following configurations:

  1. Kuberentes clusters which were built on vSphere
  2. The logging level of cloud-controller-manager is set to 4 or above.
  3. They use a Kubernetes secret to store the vSphere credentials.

Overall, the secret stored clear text in the log archive is dangerous as the secret then could be exposed to any users or applications who have access to the log archives. People who have access to the vsphere credentials can act on behalf of the vsphere user. If the secret stores vSphere administrator’s credentials (which is the most likely), then the entire cluster could be compromised.

Mitigating CVE-2020-8563

If you’re impacted by this CVE, you should update your vSphere password immediately. Expired credentials can’t be used to access your vSphere data center.

Even if the log level of cloud-controller-manager was set to its default value, you should check for Kubernetes components like kube-apiserver, kube-controller-manager that may be starting with a verbose log.

Falco, a CNCF incubating project, can help detect anomalous activities in cloud native environments. The following falco rule can help you detect if you are impacted by CVE-2020-8563:

- list: kube_controller_manager_image_list
  items:
  - "k8s.gcr.io/kube-controller-manager"

- macro: kube_controller_manager
  condition: (proc.name=kube-controller and container.image.repository in (kube_controller_manager_image_list))

- list: kube_apiserver_image_list
  items:
  - "k8s.gcr.io/kube-apiserver"

- macro: kube_apiserver
  condition: (proc.name=kube-apiserver and container.image.repository in (kube_apiserver_image_list))

- list: vsphere_cloud_manager_image_list
  items:
  - "gcr.io/cloud-provider-vsphere/cpi/release/manager"

- macro: vsphere_cloud_manager
  condition: (proc.name=vsphere-cloud-c and container.image.repository in (vsphere_cloud_manager_image_list))

# TODO: add more components like kube-proxy, kube-scheduler
- macro: kube_components
  condition: (kube_apiserver or kube_controller_manager or vsphere_cloud_manager)

# default log level is 2, any log level greater than 2 is considered verbose
- macro: verbose_log
  condition: ((evt.args contains "-v=" or evt.args contains "--v=") and not (evt.args contains "-v=0" or evt.args contains "-v=1" or evt.args contains "-v=2" or evt.args contains "--v=0" or evt.args contains "--v=1" or evt.args contains "--v=2"))

- rule: Kube Componentes Started with Verbose Log Level
  desc: Detected kube components like kube-apiserver, kube-proxy started with verbose log enabled
  condition: spawned_process and kube_components and verbose_log
  output: Kube components started with verbose log enabled (command=%proc.cmdline program=%proc.name container_id=%container.id image=%container.image.repository)
  priority: WARNING
  tags:
  - "process"

This rule will detect Kubernetes components starting with a verbose log.

The security event output will look like this in Sysdig Secure (which uses Falco underneath):

Conclusion

You might be following the best practices to harden the kube-apiserver, as it is the brain of the Kubernetes cluster, and also etcd, as it stores all the critical information about the Kubernetes cluster. However, if there is one thing CVE-2020-8563 teaches us, is that we shouldn’t stop there as we need to secure every Kubernetes component.

Sysdig Secure can help you benchmark your Kubernetes cluster, and check whether it is compliant with security standards like PCI, or NIST. Try it today!

The post Understanding and mitigating CVE-2020-8563: vSphere credentials leak in the cloud-controller-manager log appeared first on Sysdig.


Source: /reganam-rellortnoc-duolc-slaitnederc-erehpsv-3658-0202-evc/golb/moc.gidsys

Read:300 | Comments:0 | Tags:Falco Kubernetes Sysdig Secure cve falco VSphere Cloud

“Understanding and mitigating CVE-2020-8563: vSphere credentials leak in the cloud-controller-manager log”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools