CVE-2024-3177
Security Bypass vulnerability in kubernetes (Go)
What is CVE-2024-3177 About?
This Kubernetes security issue allows containers to bypass the mountable secrets policy enforced by the ServiceAccount admission plugin. Attackers can leverage the `envFrom` field in containers, init containers, and ephemeral containers to access unauthorized secrets. Exploitation requires specific configuration and the ability to create pods.
Affected Software
- k8s.io/kubernetes
- <1.27.13
- >1.28.0, <1.28.9
- >1.29.0, <1.29.4
Technical Details
A security bypass vulnerability exists in Kubernetes when the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together. This flaw allows users to launch containers (including init and ephemeral containers) that use the envFrom field. If this field is populated, it can circumvent the policy designed to restrict service accounts to only mount secrets explicitly listed in their secrets field. By configuring a container with envFrom pointing to an unapproved secret, an attacker can effectively access secrets that should otherwise be inaccessible to the service account, bypassing the intended security enforcement.
What is the Impact of CVE-2024-3177?
Successful exploitation may allow attackers to access sensitive information stored in secrets that should otherwise be restricted, leading to unauthorized data disclosure, privilege escalation, and potential compromise of other cluster resources.
What is the Exploitability of CVE-2024-3177?
Exploitation involves medium complexity due to the specific conditions required: the cluster must use Windows nodes, the ServiceAccount admission plugin, and the kubernetes.io/enforce-mountable-secrets annotation. An attacker would need authenticated access with permissions to create pods. This is a remote vulnerability, as the attacker interacts with the cluster via the API. The likelihood of exploitation increases in environments that rely heavily on the enforce-mountable-secrets annotation for security and allow users to create pods with envFrom fields.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Cgv-Dev | Link | Module written in Ruby with the objective of exploiting vulnerabilities CVE-2023-2728 and CVE-2024-3177, both related to the secret mount policy in a Kubernetes cluster using a custom Metasploit... |
What are the Available Fixes for CVE-2024-3177?
Available Upgrade Options
- k8s.io/kubernetes
- <1.27.13 → Upgrade to 1.27.13
- k8s.io/kubernetes
- >1.28.0, <1.28.9 → Upgrade to 1.28.9
- k8s.io/kubernetes
- >1.29.0, <1.29.4 → Upgrade to 1.29.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GO-2024-2746
- https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ
- https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ
- https://github.com/kubernetes/kubernetes/commit/f9fb6cf52a769a599a45e700375115c2ecc86e9b
- https://github.com/kubernetes/kubernetes/commit/7c861b1ecad97e1ab9332c970c9294a72065111a
- https://github.com/kubernetes/kubernetes/issues/124336
- https://nvd.nist.gov/vuln/detail/CVE-2024-3177
- https://pkg.go.dev/vuln/GO-2024-2746
- https://github.com/kubernetes/kubernetes
- https://github.com/kubernetes/kubernetes/issues/124336
What are Similar Vulnerabilities to CVE-2024-3177?
Similar Vulnerabilities: CVE-2021-25740 , CVE-2021-25741 , CVE-2022-3162 , CVE-2023-2727 , CVE-2023-39325
