A security issue regarding calleido

[sparkEchooo]

Summary

The calleido in GKE gave excessive authority when defining Service Account named "calleido-cert-manager-cainjector". Besides, this Service Account is mounted in a Pod named "calleido-cert-manager-cainjector", witch makes it possible for attackers to raise rights to administrators.

Detailed Analysis

• I deployed calleido in the marketplace of Google's GKE cluster.
• The clusterrole named "calleido-1-cert-manager-cainjector" defines the "update" verb of "mutatingconfiguration, validatingconfiguration". And this clusterrole is bound to the Service Account named "calleido-cert-manager-cainjector".

Attacking Strategy

If a malicious user controls a specific worker node which has the Pod mentioned above , or steals the Service Account token mentioned above. He/She can raise permissions to administrator level and control the whole cluster. For example,

• With the "update" verb of "mutatingconfiguration, validatingconfiguration", attacker can elevate privileges by updating MutatingWebhookConfigurations to listen and modify any resource and event in the cluster.

Mitigation Discussion

• Developer could delete the "update" verb of "mutatingconfiguration, validatingconfiguration" defined in clusterrole.

A few questions

• Is it a real issue in calleido?
• If it's a real issue, can calleido mitigate the risks following my suggestions discussed in the "mitigation discussion"? If it's a real issue, does calleido plan to fix this issue?

[sparkEchooo]

Dear calleido maintainers: I am Xingyu Liu, and I found this potential risk in calleido that can be leveraged to get the cluster's admin token, resulting in cluster-level privilege escalation. These are some similar issues that have been confirmed for your reference: kubewarden (https://nvd.nist.gov/vuln/detail/CVE-2023-22645) Clusternet (https://nvd.nist.gov/vuln/detail/CVE-2023-30622) OpenFeature (https://nvd.nist.gov/vuln/detail/CVE-2023-29018)

I hope this information will assist you in better understanding and addressing my report. If you require any further details about the report itself, please feel free to contact me. I am looking forward to your reply!

[sparkEchooo]

Hi there,

Would it be possible to kindly inquire about the progress of the survey? Looking forward to your reply!

[sparkEchooo]

Hi there,

Gentle ping for the request.

Best regards, Xingyu Liu

[jakub-cf]

Hi! It is on our schedule for next release.

[sparkEchooo]

Hi, Thank you for your reply! May I ask whether you plan to fix this issue in a new version? If so, Can you give us a moderate CVE or public thanks for awarding our efforts? Thanks again!

Reporter List

• Xingyu Liu([xingyu@stu.xidian.edu.cn])
• Nanzi Yang([nzyang@stu.xidian.edu.cn])
• Jinku Li([jkli@xidian.edu.cn])

[sparkEchooo]

Hi, Gentle ping for the above request.