News Hub

New Kubernetes command-line flaw discovered

Written by Mon 24 Jun 2019

Latest kubectl vulnerability linked to incomplete patch of previous flaw discovered in March

A security researcher has discovered a fresh flaw in container orchestration platform Kubernetes, which if exploited could allow attackers to place malicious containers on users workstations.

The vulnerability affects the Kubernetes kubectl command-line tool, a tool that allows users to copy files between containers and user machines.

The vulnerability was discovered by Charles Holmes, who works for infosec consultancy Atredis Partners, as part of the Cloud Native Computing Foundation-sponsored Kubernetes Third-Party Security Audit – a team created in October to audit the security Kubernetes repos.

Speaking on behalf of the Kubernetes Product Security Committee, Joel Smith linked the flaw to the CVE-2019-1002101 flaw, an issue discovered in March that also enabled attackers to embed malicious containers via kubectl, but was supposedly patched.

“The original fix for that issue was incomplete and a new exploit method was discovered,” Smith said.

The latest vulnerability, that can be fixed by upgrading kubectl to 1.12.9, 1.13.6, and 1.14.2 or later, enables attackers to embed malicious code within in a container’s tar binary, potentially allowing them to write files to any path on a user machine when kubectl is called, Smith wrote.

Containers allow engineers to develop software that is computer environment agnostic. The enterprise popularity of container orchestrator Kubernetes has skyrocketed after it established itself as the lynchpin for multicloud deployments. According to a Jetbrains report, 29 percent of developers now use Kubernetes.

In December, the first major security flaw in the platform was discovered, one that allowed attackers to infiltrate backend servers. Kubernetes quickly issued patched versions that resolved the flaw.

Written by Mon 24 Jun 2019


cyber security kubernetes
Send us a correction Send us a news tip