Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Critical vulnerability! #25

Closed
pixelari opened this issue Jan 7, 2020 · 2 comments
Closed

[BUG] Critical vulnerability! #25

pixelari opened this issue Jan 7, 2020 · 2 comments
Labels
bug Something isn't working

Comments

@pixelari
Copy link

pixelari commented Jan 7, 2020

Describe the bug
AKS SP is exposed using env injector and brings even bigger vulnerabillity than the problem it is trying to solve

To Reproduce
First of all this is mine initContainer yaml part. Second to that, my application container is running on user 1000 with read-only fs and drop all capabillities (do not need to tell, best practises to run securely your dockerized applications)

  initContainers:
  - command:
    - sh
    - -c
    - cp /usr/local/bin/azure-keyvault-env /azure-keyvault/ && cp /etc/kubernetes/azure.json
      /azure-keyvault/azure.json && chmod 444 /azure-keyvault/azure.json
    image: spvest/azure-keyvault-env:0.1.15
    imagePullPolicy: IfNotPresent
    name: copy-azurekeyvault-env
    volumeMounts:
    - mountPath: /azure-keyvault/
      name: azure-keyvault-env
    - mountPath: /etc/kubernetes/azure.json
      name: azure-config
      readOnly: true

but if you exec into application container and ls -l / this is how it looks

user@app-6498f5f49f-7hkl6:/$ ls -l /
total 68
drwxr-xr-x   1 root root 4096 Jan  2 13:38 app
drwxrwxrwt   2 root root   80 Jan  3 08:14 azure-keyvault
drwxr-xr-x   1 root root 4096 Nov 22 08:33 bin
drwxr-xr-x   2 root root 4096 Sep  8 10:51 boot
...

The problem is with folder azure-keyvault which contains binary and json file.

if you write inside container env output is nice, like in examples, env vars are hidden, but if you do /azure-keyvault/azure-keyvault-env env you get "decrypted" env vars, but this is not the worst case.

The worst case is that json inside the directory with READ permission, which has AKS SP credentials in plain text, you can get AKS Admin with those and access every resource AKS has access to!

user@app-6498f5f49f-7hkl6:/$ ls -l azure-keyvault/
total 37008
-rwxr-xr-x 1 root root 37890317 Jan  3 08:14 azure-keyvault-env
-r--r--r-- 1 root root     1396 Jan  3 08:14 azure.json

Expected behavior
It shouldn't be such "leftovers" in application container.

Additional context
I am really surprised that is not covered in documentation and no one raised this concern.
@pixelari pixelari added the bug Something isn't working label Jan 7, 2020
@torresdal
Copy link
Collaborator

Hey @tehleet and thanks for reporting this!

Walking through your report and doing some additional analysis, we agree this could be handled better than today.

We'll give a more detailed explanation soon, but for now, the solution we will implement basically deletes the entrire /azure-keyvault/-folder as soon as the azure-keyvault-env executable is started, including itself.

Would this satisfy your concerns for now?

torresdal added a commit that referenced this issue Jan 9, 2020
@torresdal
Fixed potential security issue #25 by delete credentials and executab…
b67ffb9 
…le on startup
@pixelari
Copy link
Author

Hi @torresdal thanks for quick reply!

Your proposal seems ok, let's see where it takes us :)

@torresdal torresdal mentioned this issue Mar 8, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@torresdal @pixelari