When Kubernetes CRD controller which is responsible to analyzing a specific CR is vulnerable, attackers may control certain custom resources and inject malicious payloads, which could trigger malicious behaviors when the controller parses, processes, stores the CRs, or generates other related resources.
Injections can be classified via 3 different way.
- Template injection
- Delimiter injection e.g.
;
\n
}
"
- Object or object reference injection
- Information disclosure - introducing sensitive environmental variables or injecting into controllable environments
- Expression injection - executable scripts, expressions, hooks, macros, SQL
- Configuration file injection
- Possible file paths, request parameters, database access control bypass
- Cascading injection (injecting the upper-level CR then generating malicious lower-level components like Pods when creating various CR components)
- Annotation injection
- Spec injection due to insufficient validation
- Controllable references
- The injection point is the lb-type annotation.
- The injection type is newline injection / template injection and
- The injected content is a malicious pod configuration.
- The PoC involves injecting the entire Pod configuration after injecting a name in the annotation, and then injecting flag information present in the secret.
- It's same as CVE-2022-21701 istio https://paper.seebug.org/1882/
- The injection point is the annotation.
- The injection type is delimiter injection (;).
- The injected content can be an nginx configuration file or a Lua script that can leak service account information.
- Reference: https://hackerone.com/reports/1728174 (Lua expression injection exec) CVE-2021-25742 and CVE-2021-25746.
- https://hackerone.com/reports/1378175 (nginx controller file leak)
- CVE-2023-5044 https://raesene.github.io/blog/2023/10/29/exploiting-CVE-2023-5044/ lua injection exec
- Background: In a multi-tenant system, one tenant is hacker.
- The injection point is the env environment variable (controlled by tenants).
- The injection type is object injection with unsafe ref.
- Impact: A single tenant can directly leak either the controller or any specified secrets/configmap key under the controller.
- Injecting env using secretKeyRef to inject other data. Reference: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data
- CRD kubernetes document: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/
- CRD validation kubernetes document: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation
- OpenApi v3 schema: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.0.md#schemaObject
The main cause of these vulnerabilities is primarily due to design issues with CRD controllers. In multi-user or SaaS scenarios, users may have indirect or direct control over certain resources within the cluster (which could be CRD resources or other resources). The controllers for these resources may directly or indirectly concatenate user-controlled data, leading to injection vulnerabilities of this nature and further compromising the security within the cluster.