CVE-2018-1002105

Kubernetes - (Unauthenticated) Arbitrary Requests

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

En todas las versiones de Kubernetes anteriores a la v1.10.11, v1.11.5 y la v1.12.3, el manejo incorrecto de las respuestas de error a las peticiones de actualización en el proxy en kube-apiserver permitían que las peticiones especialmente manipuladas estableciesen una conexión mediante el servidor de la API de Kubernetes a los servidores del backend y enviasen peticiones arbitrarias en la misma conexión directamente al backend, autenticadas con las credenciales TLS del servidor de la API de Kubernetes empleadas para establecer la conexión con el backend.

A privilege escalation vulnerability exists in OpenShift Container Platform which allows for compromise of pods running co-located on a compute node. This access could include access to all secrets, pods, environment variables, running pod/container processes, and persistent volumes, including in privileged containers.

*Credits: Reported by Darren Shepherd

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-12-03 CVE Published
2018-12-05 CVE Reserved
2022-04-14 First Exploit
2024-08-05 CVE Updated
2024-09-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-305: Authentication Bypass by Primary Weakness
CWE-388: 7PK - Errors

CAPEC

References (24)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2019/06/28/2	Mailing List
http://www.openwall.com/lists/oss-security/2019/07/06/3	Mailing List
http://www.openwall.com/lists/oss-security/2019/07/06/4	Mailing List
http://www.securityfocus.com/bid/106068	Third Party Advisory
https://groups.google.com/forum/#%21topic/kubernetes-announce/GVllWCg6L88	X_refsource_confirm
https://security.netapp.com/advisory/ntap-20190416-0001	Third Party Advisory
https://www.coalfire.com/The-Coalfire-Blog/December-2018/Kubernetes-Vulnerability-What-You-Can-Should-Do	Mitigation

URL	Date	SRC
https://www.exploit-db.com/exploits/46052	2024-08-05
https://www.exploit-db.com/exploits/46053	2024-08-05
https://github.com/sh-ubh/CVE-2018-1002105	2022-04-14
https://github.com/evict/poc_CVE-2018-1002105	2024-08-05

URL	Date	SRC
https://github.com/kubernetes/kubernetes/issues/71411	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html	2023-11-07
https://access.redhat.com/errata/RHSA-2018:3537	2023-11-07
https://access.redhat.com/errata/RHSA-2018:3549	2023-11-07
https://access.redhat.com/errata/RHSA-2018:3551	2023-11-07
https://access.redhat.com/errata/RHSA-2018:3598	2023-11-07
https://access.redhat.com/errata/RHSA-2018:3624	2023-11-07
https://access.redhat.com/errata/RHSA-2018:3742	2023-11-07
https://access.redhat.com/errata/RHSA-2018:3752	2023-11-07
https://access.redhat.com/errata/RHSA-2018:3754	2023-11-07
https://access.redhat.com/security/cve/CVE-2018-1002105	2018-12-03
https://bugzilla.redhat.com/show_bug.cgi?id=1648138	2018-12-03
https://access.redhat.com/security/vulnerabilities/3716411	2018-12-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				>= 1.0.0 <= 1.9.11 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.0.0 <= 1.9.11"		-		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				>= 1.10.0 <= 1.10.10 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.10.0 <= 1.10.10"		-		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				>= 1.11.0 <= 1.11.4 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.11.0 <= 1.11.4"		-		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				>= 1.12.0 <= 1.12.2 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.12.0 <= 1.12.2"		-		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.9.12 Search vendor "Kubernetes" for product "Kubernetes" and version "1.9.12"		beta0		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.2 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.2"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.3 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.3"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.4 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.4"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.5 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.5"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.6 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.6"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.8 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.8"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.10 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.10"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11"		-		Affected
Netapp Search vendor "Netapp"		Trident Search vendor "Netapp" for product "Trident"				-		-		Affected