Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-25749: runAsNonRoot logic bypass for Windows containers #173

Open
pacoxu opened this issue Sep 15, 2022 · 1 comment
Open

CVE-2021-25749: runAsNonRoot logic bypass for Windows containers #173

pacoxu opened this issue Sep 15, 2022 · 1 comment
Labels
1.18 1.19 1.20 1.21 priority/low Low(Score<4.0) CVSS Score CVE

Comments

@pacoxu
Copy link
Member

pacoxu commented Sep 15, 2022

What happened?

A security issue was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true .

This issue has been rated low and assigned CVE-2021-25749

What did you expect to happen?

Detection

Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.

If you find evidence that this vulnerability has been exploited, please contact [email protected]

Additional Details

See the GitHub issue for more details: kubernetes/kubernetes#112192

Acknowledgements

This vulnerability was reported and fixed by Mark Rosetti (@marosset)

CVSS Rating: Low (3.4) CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

How can we reproduce it (as minimally and precisely as possible)?

Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with runAsNonRoot are impacted

Anything else we need to know?

Affected Versions

  • kubelet v1.20 - v1.21
  • kubelet v1.22.0 - v1.22.13
  • kubelet v1.23.0 - v1.23.10
  • kubelet v1.24.0 - v1.24.4

How do I mitigate this vulnerability?
There are no known mitigations to this vulnerability.

Fixed Versions

  • kubelet v1.22.14
  • kubelet v1.23.11
  • kubelet v1.24.5
  • kubelet v1.25.0

To upgrade, refer to this documentation For core Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

@github-actions
Copy link

Hi @pacoxu,
Thanks for opening an issue!
We will look into it as soon as possible.

Details Instructions for interacting with me using comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the [gh-ci-bot](https://github.com/wzshiming/gh-ci-bot) repository.

@pacoxu pacoxu added priority/low Low(Score<4.0) CVSS Score CVE 1.18 1.19 1.20 1.21 labels Sep 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1.18 1.19 1.20 1.21 priority/low Low(Score<4.0) CVSS Score CVE
Projects
None yet
Development

No branches or pull requests

1 participant