Source: securityboulevard.com – Author: Stevie Caldwell
Keeping up to date with critical vulnerabilities related to Kubernetes can be challenging for a variety of reasons. The biggest one may be related to Kubernetes itself; it’s a complex and rapidly evolving platform, with regular updates and new features being introduced regularly (not to mention updates to APIs and add-ons). Kubernetes environments are scalable and dynamic, so sometimes vulnerabilities can have a wide-ranging impact. Staying informed about the latest vulnerabilities impacting the Kubernetes ecosystem can be difficult, in part because of the diverse attack surface K8s presents.
Vulnerability management is an ongoing process that involves multiple steps. Kubernetes security itself is a complex topic, so let’s focus on the process for managing Common Vulnerabilities and Exposures (CVEs). First and foremost, you need to monitor the CVE database and relevant vendor announcements (for example, here’s a list of the nginx security advisories) for new vulnerabilities and use automated vulnerability scanning tools to identify CVEs in your images, systems, and applications. You’ll also need to maintain an up-to-date inventory of all assets in your environment. (Otherwise, how would you know that you were at risk from a vulnerability in a commonly used open source project?)
You’ll also need to evaluate the CVEs based on their Common Vulnerability Scoring System (CVSS), which measures the severity of the vulnerability based on the Base, Threat, Environmental, and Supplemental metric groups. The higher the score, the greater the severity, but that’s not the same as risk. To evaluate risk, you’ll need to prioritize CVEs by considering how they could potentially impact your organization’s critical business assets and processes. Then, you’d need to plan how (and in what order) to patch or remediate those CVEs, testing patches in controlled environments before deploying them to a production system. Sometimes, patching may take a long time to roll out, in which case you may need to consider mitigation strategies. Identifying, prioritizing, and patching or mitigating CVEs in a timely manner can help you minimize risk and ensure business continuity.
Kubernetes is a complex environment, and it has its own official CVE feed you can reference, which is maintained by the community based on official CVEs announced by the Kubernetes Security Response Committee. It’s important to remember, however, that this isn’t an exhaustive list of all the CVEs that might impact your K8s infrastructure. In this post, we walk through the top five CVEs that we remediated for our clients to ensure their infrastructure remained secure and available in 2024.
1. CVE-2024-21626
runC
First disclosed on January 31, 2024, CVE-2024-21626 was last modified on November 21, 2024 and reported by GitHub, Inc. The base score for this CVE is 8.6, making it a high severity vulnerability.
- Impact: runC is a command line interface (CLI) tool used to launch containers on Linux-based systems according to the Open Container Initiative (OCI) specification (a set of open industry standards around container formats and runtimes, including runtime, image specification, and distribution specification). It’s used by Docker and containerd under the hood. This exploit allows a user to use a newly-launched container to create a workspace in the host node’s filesystem, allowing access to the underlying host’s filesystem (a container escape).
- How Fairwinds SREs mitigated the CVE: Upgraded all nodes to versions of the operating system (OS) with a patched version of runC to prevent malicious attackers from exploiting this vulnerability through affected images, Dockerfiles, or processes within containers.
2. CVE-2024-3094
XZ Utils
First disclosed on March 29, 2024, CVE-2024-3094 was last modified on November 21, 2024 and reported by Red Hat, Inc. The base score for this CVE is 10.0, making it a critical severity vulnerability. It’s relatively rare to have 10.0 vulnerabilities, which represent the most severe security issues, typically involving full compromise of confidentiality, integrity, and availability. These vulnerabilities demand immediate attention and remediation due to their critical impact.
- Impact: XZ Utils is a suite of tools for lossless compression and is widely distributed. The affected versions of the tools have malicious code injected into the packages used to install it.
- How Fairwinds SREs mitigated the CVE: One requirement for this exploit is that the SSH port be publicly accessible, which Fairwinds does not do by default as it is not a secure way to run Kubernetes. At the time the CVE was disclosed, we also were already running runC versions for our clients that were not vulnerable to this vulnerability.
3. CVE-2024-31989
Argo CD
First disclosed on May 21, 2024, CVE-2024-31989 was last modified on November 21, 2024 and reported by GitHub, Inc. The base score for this CVE is 9.0, making it a critical severity vulnerability.
- Impact: Argo CD is a declarative, GitOps continuous delivery tool designed specifically for Kubernetes environments to automate the deployment and synchronization of application states with Git repositories. By default, Argo CD installs with a redis instance that has no password. It is therefore accessible by other pods in other namespaces, potentially enabling privilege escalation and information leakage.
- How Fairwinds SREs mitigated the CVE: Upgraded the version of Argo CD to a new version that fixes this vulnerability to prevent privilege escalation to the level of cluster control or to information leakage.
4. CVE-2024-6387
OpenSSH
First disclosed on July 1, 2024, CVE-2024-6387 was last modified on November 21, 2024 and reported by Red Hat, Inc. The base score for this CVE is 8.1, making it a high severity vulnerability.
- Impact: An unauthenticated remote user could exploit a race condition related to sshd’s SIGALRM handler. The race condition could allow this unauthenticated user to access the system remotely.
- How Fairwinds SREs mitigated the CVE: Although this is really an OS-level issue and not a Kubernetes-specific one (since sshd is included in common Linux distros), because the nodes used in a cluster run on these OSes, it is still relevant for Kubernetes environments. In this instance, our clients were not running an affected version of sshd on our Ubuntu nodes. However, Google Kubernetes Engine (GKE) nodes were affected and updated as soon as patched versions were released.
5. CVE-2024-7646
Ingress-nginx Annotation Validation Bypass #126744
First disclosed on August 16, 2024, CVE-2024-7646 was last modified on November 21, 2024 and reported by Kubernetes. The base score for this CVE is 8.8, making it a high severity vulnerability.
- Impact:Anyone with the ability to create ingress resources in a cluster (which is usually just about anyone) can bypass annotation validation and inject arbitrary commands. One result of this could be obtaining the serviceaccount credentials for the nginx controller, which by default has access to view all secrets in a cluster.
- How Fairwinds SREs mitigated the CVE:We upgraded our clients quickly to a patched version ofnginx, which is an open source HTTP web server, reverse proxy, content cache, load balancer, TCP/UDP proxy server, and mail proxy server. It’s well known for its high performance and scalability; low memory usage; asynchronous, event-driven architecture; and ability to handle hundreds of thousands of concurrent connections. nginx is one of the most popular webservers for hosting applications and websites.
Are You Patching Kubernetes CVEs?
Staying on top of high and critical Kubernetes CVEs is critical for maintaining a secure and compliant infrastructure and preventing malicious actors from compromising your environment. However, staying on top of these vulnerabilities can be time-consuming and resource-intensive. Fairwinds Managed Kubernetes-as-a-Service makes it simple for our customers and clients to relax, because we constantly monitor for high and critical vulnerabilities impacting Kubernetes, ensuring these CVEs are patched without disrupting your teams or business workflows.
Fairwinds’ proactive approach improves your security posture and allows your team to focus on innovation rather than constantly tracking new CVEs and determining how best to address them. By rapidly identifying CVEs and remediating them, our clients canrest assured that even critical vulnerabilities will be handled quickly. Have you patched these top five Kubernetes CVEs? If you need help managing your Kubernetes infrastructure, reach out to learn how FairwindsManaged Kubernetes-as-a-Service can help.
*** This is a Security Bloggers Network syndicated blog from Fairwinds | Blog authored by Stevie Caldwell. Read the original post at: https://www.fairwinds.com/blog/the-top-5-high-critical-kubernetes-cves-of-2024-have-you-patched-them-yet
Original Post URL: https://securityboulevard.com/2024/12/the-top-5-kubernetes-cves-of-2024-have-you-patched-them-yet/
Category & Tags: Security Bloggers Network,Managed Kubernetes,security – Security Bloggers Network,Managed Kubernetes,security
Views: 5