Skip to content

TOB-K8S-005: Environment variables expose sensitive data #81117

New issue
New issue
Closed
#84992
Closed
TOB-K8S-005: Environment variables expose sensitive data#81117
#84992
Labels
area/provider/openstackIssues or PRs related to openstack providerarea/securitykind/bugCategorizes issue or PR as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/cloud-providerCategorizes an issue or PR as relevant to SIG Cloud Provider.wg/security-auditCategorizes an issue or PR as relevant to WG Security Audit.
Milestone
v1.17
@cji

Description

@cji
cji
opened on Aug 8, 2019

This issue was reported in the Kubernetes Security Audit Report

Description
When configuring components of infrastructure, environment variables allow a trivial method of gathering settings. However, not all settings should be derived from these variables. For example, the pkg/controller/certificates/signer/cfssl_signer.go file used the CFSSL_CA_PK_PASSWORD environment variable, where a plain-text password should be found within the variable.

strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD")

Figure 8.1: A string password being recovered from the CFSSL_CA_PK_PASSWORD environment variable.

If this variable is configured, an attacker could potentially gain access to its stored value through environment logging, or further exploitation of the endpoint. The assessment team found seemingly sensitive environment variables in at least the following locations:

pkg/cloudprovider/providers/openstack/openstack.go:207:	cfg.Global.Password = os.Getenv("OS_PASSWORD")
pkg/credentialprovider/rancher/rancher_registry_credentials.go:125:	accessKey := os.Getenv("CATTLE_ACCESS_KEY")
pkg/credentialprovider/rancher/rancher_registry_credentials.go:126:	secretKey := os.Getenv("CATTLE_SECRET_KEY")
pkg/controller/certificates/signer/cfssl_signer.go:79:	strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD")

Exploit Scenario
Alice configures her environment with the CFSSL_CA_PK_PASSWORD environment variable. Eve gains access to Alice’s environment and determines that the CFSSL_CA_PK_PASSWORD environment variable is set. Because this variable contains the private key password, Eve is able to recover the private key and use it trivially, leading to further exploitation of Alice’s environment.

Recommendation
Short term, ensure highly sensitive information is not collected directly from environment variables for long periods of time.

Long term, consider using Kubernetes secrets for all areas of the system. This will allow users to have one unified interface and location for all secrets, and avoid accidentally exposing secrets to other users within a host system.

Anything else we need to know?:

See #81146 for current status of all issues created from these findings.

The vendor gave this issue an ID of TOB-K8S-005 and it was finding 9 of the report.

The vendor considers this issue Medium Severity.

To view the original finding, begin on page 35 of the Kubernetes Security Review Report

Environment:

  • Kubernetes version: 1.13.4

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/provider/openstackIssues or PRs related to openstack providerarea/securitykind/bugCategorizes issue or PR as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.sig/authCategorizes an issue or PR as relevant to SIG Auth.sig/cloud-providerCategorizes an issue or PR as relevant to SIG Cloud Provider.wg/security-auditCategorizes an issue or PR as relevant to WG Security Audit.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions