"Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes"
A security flaw rated high in severity was found in the Kyverno admission controller for container images that could enable threat actors to import malicious code into cloud-based production systems. The admission controller Kyverno provides a signature verification mechanism to ensure that only signed, validated container images are pulled into a particular Kubernetes cluster. This mechanism prevents various undesirable consequences, as booby-trapped container images may contain payloads such as cryptocurrency miners, rootkits, exploit kits for container escape and lateral movement, credential stealers, and more. However, the flaw, tracked as CVE-2022-47633, can be exploited to circumvent this technique. The vulnerability allows an attacker to bypass the image verification policy by injecting unsigned images into a protected cluster, according to researchers at ARMO. They warned that an attacker could essentially seize control of a victim's pod and utilize all of its assets and credentials, including the service account token, to get access to the Application Programming Interface (API) server. When a Kubernetes API server requests a new workload, defined through an image with a tag, the API server queries the Kyverno admission controller to validate the new workload. The admission controller requests the image manifest and a signature from the container registry to determine whether a workload can be allowed for the cluster. If they check out, the image receives approval, and the container runtime launches a new workload based on the image. According to the advisory, the vulnerability occurs because the controller's signature validation mechanism downloads the image manifest twice but only verifies a signature for one of the downloads. This article continues to discuss the bypass of the Kyverno security mechanism for container image imports that allows attackers to take over a Kubernetes pod to steal data and inject malware.
Dark Reading reports "Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes"