Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGsPOT3VSqGbvGySuZsJ4mkqBb5PApH66VyNrxTPFT2sCPo09Q@mail.gmail.com>
Date: Thu, 15 Sep 2022 14:49:36 -0700
From: Pushkar Joglekar <pushkarj.at.work@...il.com>
To: oss-security@...ts.openwall.com
Subject: [kubernetes] CVE-2021-25749: runAsNonRoot logic bypass for Windows containers

Hello Kubernetes Community,

A security issue was discovered in Kubernetes that could allow Windows
workloads to run as ContainerAdministrator even when those workloads set
the runAsNonRoot option to true .

This issue has been rated low and assigned CVE-2021-25749
<https://hackmd.io/ndl5QD3tTUKqYdO7rfGX7A#Am-I-vulnerable>Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads
with runAsNonRoot are impacted.
Affected Versions

   - kubelet v1.20 - v1.21
   - kubelet v1.22.0 - v1.22.13
   - kubelet v1.23.0 - v1.23.10
   - kubelet v1.24.0 - v1.24.4

How do I mitigate this vulnerability?

There are no known mitigations to this vulnerability.
<https://hackmd.io/ndl5QD3tTUKqYdO7rfGX7A#Fixed-Versions>Fixed Versions

   - kubelet v1.22.14
   - kubelet v1.23.11
   - kubelet v1.23.5
   - kubelet v1.25.0

To upgrade, refer to this documentation. *For core Kubernetes:*
https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Detection

Kubernetes Audit logs may indicate if the user name was misspelled to
bypass the restriction placed on which user is a pod allowed to run as.

If you find evidence that this vulnerability has been exploited, please
contact security@...ernetes.io
Additional Details

See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/issues/112192
Acknowledgements

This vulnerability was reported and fixed by Mark Rosetti (@marosset)

Thank You,

Pushkar Joglekar on behalf of the Kubernetes Security Response Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.