Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2018-1002103: Dashboard vulnerable to DNS rebinding attack #3208

Closed
tstromberg opened this issue Oct 2, 2018 · 2 comments
Closed

CVE-2018-1002103: Dashboard vulnerable to DNS rebinding attack #3208

tstromberg opened this issue Oct 2, 2018 · 2 comments
Assignees
@tstromberg
Labels
co/dashboard dashboard related issues kind/security security issues

Comments

@tstromberg
Copy link
Contributor

tstromberg commented Oct 2, 2018
edited
Loading

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

minikube exposes the Kubernetes Dashboard service with a configuration that makes it vulnerable to DNS rebinding attacks.

Thanks to Alex Kaskasoli (MWR Labs) for reporting this problem [1]

Vulnerable versions:

  • minikube 0.3.0 - 0.29.0

Vulnerable configurations:

  • VM environments which use a predictable IP address, such as VirtualBox or "None".

Vulnerability impact:

If an attacker gets a victim to visit a malicious web page, the attacker may be able to execute arbitrary code within the victim's minikube cluster.

minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard without violating the Same-Origin Policy.

The attacker can generate a CSRF token from the /api/v1/csrftoken/appdeploymentfromfile endpoint, and pass this token to the /api/v1/appdeploymentfromfile endpoint to create a new Kubernetes Deployment running a payload of their choosing.

This vulnerability can be combined with a VM-specific vulnerability to escape to the host operating system. If minikube mount is in use, the attacker could also directly access the host filesystem.

Fixed versions:

Fix impact:

Network access to the dashboard service is now provided on an as-needed basis, and is managed by kubectl proxy which enforces HTTP header checks to protect against DNS rebinding attacks.

Mitigations before upgrading:

Disable the dashboard entirely:

kubectl --namespace kube-system delete deployment kubernetes-dashboard

Additional information
@tstromberg tstromberg added kind/bug Categorizes issue or PR as related to a bug. co/dashboard dashboard related issues labels Oct 2, 2018
@tstromberg tstromberg self-assigned this Oct 2, 2018
@tstromberg tstromberg mentioned this issue Oct 3, 2018
Merged
@tstromberg tstromberg changed the title minikube dashboard host checking CVE-2018-xxx: Dashboard is susceptible to DNS rebinding attack Oct 8, 2018
@tstromberg tstromberg added kind/security security issues and removed kind/bug Categorizes issue or PR as related to a bug. labels Oct 8, 2018
@tstromberg tstromberg changed the title CVE-2018-xxx: Dashboard is susceptible to DNS rebinding attack CVE-2018-TBD: Dashboard is susceptible to DNS rebinding attack Oct 8, 2018
@tstromberg tstromberg changed the title CVE-2018-TBD: Dashboard is susceptible to DNS rebinding attack CVE-2018-1002103: Dashboard is susceptible to DNS rebinding attack Oct 9, 2018
@tstromberg tstromberg changed the title CVE-2018-1002103: Dashboard is susceptible to DNS rebinding attack CVE-2018-1002103: Dashboard vulnerable to DNS rebinding attack Oct 9, 2018
@tstromberg tstromberg mentioned this issue Oct 11, 2018
Closed
periklis added a commit to periklis/nixpkgs that referenced this issue Oct 12, 2018
@periklis
minikube: bump version 0.29.0 -> 0.30.0
e5ee89f 
This is a fix release for CVE-2018-1002103. More details in
kubernetes/minikube#3208
@periklis periklis mentioned this issue Oct 12, 2018
Merged
9 tasks
srhb pushed a commit to NixOS/nixpkgs that referenced this issue Oct 12, 2018
@periklis @srhb
minikube: bump version 0.29.0 -> 0.30.0
c0c867d 
This is a fix release for CVE-2018-1002103. More details in
kubernetes/minikube#3208

(cherry picked from commit e5ee89f)
Backport of #48256
@bhishekarora
Copy link

minikube is not running in production for any one and its only for learning and prototyping, who is going to do DNS attacks if its not on a public domain.

@serain
Copy link

serain commented Mar 19, 2021
edited
Loading

@bhishekarora you would target developers using minikube, and from there pwn the things the developers have access to.

  1. phish employees who you know are likely to be using minikube locally. just get them to click a link.
  2. run a waterhole on a website you control (i.e. "Getting started with Kubernetes using Minikube" or "Explore the latest Kubernetes features with Minikube")

one thing to note is that this issue allowed trivial VM escape, so you would gain RCE and persistence on the host OS (and the engineer's passwords, private keys, emails etc.)

full disclosure: I'm the nerd who reported this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tstromberg tstromberg

Labels
co/dashboard dashboard related issues kind/security security issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tstromberg @serain @bhishekarora