Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes

[upnorth]

Content source

https://www.darkreading.com/cloud/container-verification-bug-malicious-images-free-rein-kubernetes

A high-severity security vulnerability in the Kyverno admission controller for container images could allow malicious actors to import a raft of nefarious code into cloud production environments.

The Kyverno admission controller offers a signature-verification mechanism designed to ensure that only signed, validated container images are being pulled into a given Kubernetes cluster. This can ward off any number of bad outcomes, given that boobytrapped container images can contain payloads as varied as cryptominers, rootkits, exploit kits for container escape and lateral movement, credential stealers, and more. However, the bug (CVE-2022-47633) can be exploited to subvert that mechanism. "The vulnerability enables an attacker … to inject unsigned images into the protected cluster, bypassing the image verification policy," explained researchers at ARMO, in a blog post on Dec. 21. The stakes are high: The attacker can effectively take control of a victim’s pod and use all of its assets and credentials, including the service account token to access the API server, they warned.

"The vulnerability enables a complete bypass of image signature verification. In the case of a Kubernetes cluster, this gives an attack a wide range of targets. Any workload can mount cluster secrets and data volumes," Ben Hirschberg, CTO and co-founder of ARMO, tells Dark Reading. "This means the attacker can inject code that can steal data and credentials from the Kubernetes cluster of the victim. This also enables the attacker to inject his/her own code and use the CPU of the victim for things like cryptocurrency mining."

To carry out a real-world attack, threat actors can use either compromised accounts on existing registries to host malicious images, or they can establish their own private container registry and then set about convincing an admin to trust it. From a practical standpoint, "creating a malicious registry for an experienced attacker is not a challenge," Hirschberg says. "An attacker can take any open source registry software, make some minor modifications to make the attack work, and run it in the cloud under a custom domain."

The next step is to convince an admin to trust the malicious container, which is also not that difficult. Container images from third parties are often used to spin up ready-made applications, in much the same way that app developers source prebuilt code blocks from open repositories like npm — the idea is to not have to reinvent the wheel for common functions and utilities.

Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes

A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware.

www.darkreading.com