ASA-2019-00161 – Kubernetes: Directory traversal vulnerability in kubectl


Allele Security Alert

ASA-2019-00161

Identifier(s)

ASA-2019-00161, CVE-2019-1002101

Title

Directory traversal in kubectl

Vendor(s)

Cloud Native Computing Foundation

Product(s)

Kubernetes

Affected version(s)

kubectl versions prior to v1.11.9
kubectl versions prior to v1.12.7
kubectl versions prior to v1.13.5
kubectl versions prior to v1.14.0

Fixed version(s)

kubectl version v1.11.9
kubectl version v1.12.7
kubectl version v1.13.5
kubectl version v1.14.0

Proof of concept

Unknown

Description

A security issue was discovered with the Kubernetes `kubectl cp` command that could enable a directory traversal replacing or deleting files on a user’s workstation.

Technical details

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine.

If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user.

Since fixing CVE-2018-1002100, the untar function calls the cp.go:clean to strip path traversals. However, that function can both create and follow symbolic links.

Credits

Ariel Zelivansky (Twistlock)

Reference(s)

[ANNOUNCE] Security release of Kubernetes kubectl – potential directory traversal – Releases 1.11.9, 1.12.7, 1.13.5, and 1.14.0 – CVE-2019-1002101
https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-kubectl-potential-directory-traversal-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-1002101/5712

kubectl fix potential directory traversal – CVE-2019-1002101 #75037
https://github.com/kubernetes/kubernetes/pull/75037

Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101
https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes-copy-cve-2019-1002101/

CVE-2019-1002101 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1002101

CVE-2019-1002101
https://security-tracker.debian.org/tracker/CVE-2019-1002101

CVE-2019-1002101 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1002101.html

CVE-2019-1002101 | SUSE
https://www.suse.com/security/cve/CVE-2019-1002101

CVE-2019-1002101
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1002101

CVE-2019-1002101
https://nvd.nist.gov/vuln/detail/CVE-2019-1002101

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.