CVE-2022-3162: Unauthorized Access to Custom Resources in Kubernetes, How to Prevent and Mitigate the Issue

CVE-2022-3162 is a recently discovered vulnerability affecting Kubernetes clusters. It can result in unauthorized access to custom resources in the same API group, potentially leading to data leakages and security risks. In this long-read post, we'll explore the details of this vulnerability, provide code snippets that demonstrate the issue, and offer helpful tips to safeguard your cluster.

Exploit Details

Users who can list or watch a specific type of namespaced custom resource cluster-wide might access custom resources of another type within the same API group without proper authorization. To be impacted by this vulnerability, your cluster must meet all of the following conditions:

Users are NOT authorized to read another custom resource in the same API group.

Here's an example of how this vulnerability can be exploited. Let's assume we have two CustomResourceDefinitions (CRD) in the same API group called "my_api_group":

CRD YAML example

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: crd1_my_resource.my_api_group
spec:
  group: my_api_group
  versions:
  - name: v1
    served: true
    storage: true
  names:
    kind: Crd1MyResource
    plural: crd1_my_resource
  scope: Namespaced

Suppose a user has permission to list or watch "crd1_my_resource" cluster-wide

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: list-watch-crd1
rules:
- apiGroups: ["my_api_group"]
  resources: ["crd1_my_resource"]
  verbs: ["list", "watch"]

This user is not authorized to read "crd2_another_resource." However, due to CVE-2022-3162, they can still access it without proper authorization.

To mitigate this vulnerability, there are several steps you can take

1. Upgrade your Kubernetes clusters: Update your cluster to a version containing the patch for CVE-2022-3162. The following versions include the required fix:

1.23.3+

2. Restrict RBAC permissions: Limit the permissions granted to users in the cluster, following the principle of least privilege. Ensure users only have the access required for their role, and avoid providing cluster-wide permission without proper checks.

To learn more about this vulnerability, refer to the original references below

1. Kubernetes Security Announcement: https://github.com/kubernetes/kubernetes/issues/106589
2. CVE-2022-3162 - NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-3162

Conclusion

CVE-2022-3162 is a significant security vulnerability with the potential to grant unauthorized access to specific custom resources in Kubernetes clusters. By understanding its intricacies and implementing robust security practices, you can mitigate and prevent unauthorized access to your cluster. Be sure to keep your cluster up-to-date and pay attention to the configuration of your CustomResourceDefinitions.

Timeline

Published on: 03/01/2023 19:15:00 UTC
Last modified on: 05/11/2023 15:15:00 UTC