CVE-2022-36103 Talos Linux worker nodes use a join token to get accepted into the Talos cluster.

BZ# 1481664 Workload has access to the join token stored on the worker node. Workload then keeps this join token in an insecure way in the Talos configuration. This can be done by running a job that configures a worker node with the Talos configuration. Once a worker node receives the configuration, it does not have to keep the join token in the insecure way. The workload can then be configured to run a job that extracts the join token from the configuration and stores it in an insecure way. This insecure way can be a file on the worker node or a configuration variable in the Kubernetes node configuration. The workload can then be configured to run a job that extracts the join token from the configuration and stores it in an insecure way.

Initial Steps

-Deprecate the insecure use of the join token in Talos configuration.
-Create a new config variable for the join token to be stored in an insecure way in Kubernetes node configuration.
-Deprecate the insecure use of the join token in the Kubernetes node configuration.

Alerting

Workload has access to the join token stored on the worker node. Workload then keeps this join token in an insecure way in the Talos configuration. This can be done by running a job that configures a worker node with the Talos configuration. Once a worker node receives the configuration, it does not have to keep the join token in the insecure way. The workload can then be configured to run a job that extracts the join token from the configuration and stores it in an insecure way. This insecure way can be a file on the worker node or a configuration variable in the Kubernetes node configuration. The workload can then be configured to run a job that extracts the join token from the configuration and stores it in an insecure way.
This alert is triggered when NodeDisksMntRmvJob has been scheduled with source=join_token:job=NodeDisksMntRmvJob, target=JoinTokenName:token=JoinTokenValue; filename="../../root/etc/kubernetes/worker-node-join-token:/tmp/x/y"

Workload has access to the Kubernetes API key in the Talos configuration. Workload then keeps this Kubernetes API key in an insecure way in the Talos configuration. This can be done by running a job that configures a worker node with the Talos configuration. Once a worker node receives the configuration, it does not have to keep the Kubernetes API key in the insecure way. The workload can then be configured to run a job that extracts the Kubernetes API key from the configuration and stores it in an insecure way. This insecure way can be a file on the worker node or a configuration variable in the Kubernetes node configuration. The workload can then be configured to run a job that extracts the Kubernetes API key from the configuration and stores it in an insecure way.

Join Tokens Overview

The join token is a key feature of the Talos platform where a worker node can join a workload. When joining a workload, the worker node needs to be able to find the join token that was stored in the Talos configuration by looking for it in an insecure way. The worker node does not need to keep the join token after finding it because it will use this information for joining and later extracting it from the configuration.

Timeline

Published on: 09/13/2022 17:15:00 UTC
Last modified on: 09/16/2022 02:36:00 UTC

References

• https://github.com/siderolabs/talos/security/advisories/GHSA-7hgc-php5-77qq
• https://github.com/siderolabs/talos/commit/9eaf33f3f274e746ca1b442c0a1a0dae0cec088f
• https://github.com/siderolabs/talos/releases/tag/v1.2.2
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36103