Kubernetes 3rd Party Security Audit Findings #81146
Description
This issue is to track the findings from the recent 3rd party security audit of Kubernetes performed by Trail of Bits and Atredis on behalf of the CNCF. The intent is to have a place to track the community's response and remediation to these issues now that they've been made public.
The full output of the assessment is available on the Security Audit Working Group site, and this issue specifically tracks the findings from the Security Assessment Report.
| # | Title | Issue | Status |
|---|---|---|---|
| 1 | hostPath PersistentVolumes enable PodSecurityPolicy bypass | #81110 | closed, addressed by kubernetes/website#15756 |
| 2 | Kubernetes does not facilitate certificate revocation | #81111 | duplicate of #18982 and will be tracked in that issue |
| 3 | HTTPS connections are not authenticated | #81112 | |
| 4 | TOCTOU when moving PID to manager’s cgroup via kubelet | #81113 | |
| 5 | Improperly patched directory traversal in kubectl cp | #76788 | closed, assigned CVE-2019-11249, fixed in #80436 |
| 6 | Bearer tokens are revealed in logs | #81114 | closed, assigned CVE-2019-11250, fixed in #81330 |
| 7 | Seccomp is disabled by default | #81115 | closed, addressed by #101943 |
| 8 | Pervasive world-accessible file permissions | #81116 | |
| 9 | Environment variables expose sensitive data | #81117 | closed, addressed by #84992 and #84677 |
| 10 | Use of InsecureIgnoreHostKey in SSH connections | #81118 | |
| 11 | Use of InsecureSkipVerify and other TLS weaknesses | #81119 | |
| 12 | Kubeadm performs potentially-dangerous reset operations | #81120 | closed, fixed by #81495, #81494, and kubernetes/website#15881 |
| 13 | Overflows when using strconv.Atoi and downcasting the result | #81121 | closed, fixed by #89120 |
| 14 | kubelet can cause an Out of Memory error with a malicious manifest | #81122 | closed, fixed by #76518 |
| 15 | Kubectl can cause an Out Of Memory error with a malicious Pod specification | #81123 | |
| 16 | Improper fetching of PIDs allows incorrect cgroup movement | #81124 | |
| 17 | Directory traversal of host logs running kube-apiserver and kubelet | #81125 | closed, fixed by #87273 |
| 18 | Non-constant time password comparison | #81126 | closed, fixed by #81152 |
| 19 | Encryption recommendations not in accordance with best practices | #81127 | |
| 20 | Adding credentials to containers by default is unsafe | #81128 | |
| 21 | kubelet liveness probes can be used to enumerate host network | #81129 | |
| 22 | iSCSI volume storage cleartext secrets in logs | #81130 | closed, fixed by #81215 |
| 23 | Hard coded credential paths | #81131 | closed, awaiting more evidence |
| 24 | Log rotation is not atomic | #81132 | |
| 25 | Arbitrary file paths without bounding | #81133 | |
| 26 | Unsafe JSON construction | #81134 | |
| 27 | kubelet crash due to improperly handled errors | #81135 | |
| 28 | Legacy tokens do not expire | #81136 | duplicate of #70679 and will be tracked in that issue |
| 29 | CoreDNS leaks internal cluster information across namespaces | #81137 | Closed, resolved with CoreDNS v1.6.2. #81137 (comment) |
| 30 | Services use questionable default functions | #81138 | |
| 31 | Incorrect docker daemon process name in container manager | #81139 | closed, fixed by #81083 |
| 32 | Use standard formats everywhere | #81140 | |
| 33 | Superficial health check provides false sense of safety | #81141 | closed, fixed by #81319 |
| 34 | Hardcoded use of insecure gRPC transport | #81142 | |
| 35 | Incorrect handling of Retry-After | #81143 | closed, fixed by #91048 |
| 36 | Incorrect isKernelPid check | #81144 | closed, fixed by #81086 |
| 37 | Kubelet supports insecure TLS ciphersuites | #81145 | closed in favor of #91444 (see this comment) |