CVE-2024-0793: Kube-controller-manager DoS Vulnerability due to Flawed HPA Config Parsing
A recently discovered vulnerability, CVE-2024-0793, affects the kube-controller-manager (KCM) component in Kubernetes. This flaw could potentially lead to a denial of service (DoS) attack, putting your Kubernetes cluster at risk. In this post, we'll cover the details of this vulnerability, how it can be exploited, and how to mitigate it.
Vulnerability Details
The vulnerability occurs when applying an initial Horizontal Pod Autoscaler (HPA) configuration in a YAML file that does not contain a .spec.behavior.scaleUp block. When kube-controller-manager processes such a flawed HPA config, it causes KCM pods to go into a restart loop (restart churn), effectively creating a DoS attack.
This issue was first addressed in the Kubernetes issue tracker: Kubernetes Issue #93339
The vulnerable code snippet is as follows
apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
name: example-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: example-deployment
behavior:
scaleDown:
stabilizationWindowSeconds: 300
Exploitation Details
An attacker with sufficient privileges to create or edit HPA resources in a Kubernetes cluster could exploit this vulnerability by crafting a malicious HPA config that lacks the .spec.behavior.scaleUp block. By applying this configuration to the cluster, the attacker can cause kube-controller-manager pods to go into a restart churn, potentially leading to a DoS, affecting the stability and availability of the entire cluster.
To mitigate this vulnerability, there are several recommended approaches
1. Update to a patched version of Kubernetes, as mentioned in the Kubernetes Security Announcement:
Kubernetes v1.16.15
2. Validate your HPA configs before applying them to the Kubernetes cluster to ensure they contain the necessary .spec.behavior.scaleUp block.
3. Implement Role-Based Access Control (RBAC) to restrict user permissions, thus limiting the ability to create or modify HPA resources.
4. Monitor the logs and health status of kube-controller-manager pods to detect any restart churns, which could be indicative of an attempted attack.
Conclusion
CVE-2024-0793 is a critical vulnerability affecting Kubernetes clusters. It is essential for organizations to take the appropriate measures in order to safeguard their cluster and mitigate the risk of a DoS attack. By adopting the suggested mitigation strategies and regularly updating Kubernetes to the latest patched version, you can minimize the risks associated with this vulnerability.
Timeline
Published on: 11/17/2024 11:15:06 UTC
Last modified on: 11/18/2024 17:11:17 UTC