Kubernetes New High Severity Vulnerability CVE-2021-25741 – Are You Exposed?

Written by jkaftzan | Published 2021/09/24
Tech Story Tags: kubernetes | vulnerability | kubernetes-problems | kubernetes-vulnerability | good-company | business-solutions | are-you-exposed | high-severity-vulnerability

TLDR A new vulnerability has been found in Kubernetes in which users may be able to create a container with subpath volume mounts to access files & directories outside of the volume. The issue was first reported by Fabricio Voznika and Mark Wolters of Google and posted to Github on Sep 13, 2021. Do you know if you are exposed? via the TL;DR App

Overview

A new HIGH severity vulnerability was found in Kubernetes in which users may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. The issue is affecting the Kubelet component of Kubernetes (Kubelet is the primary "node agent" that runs on each node. It registers the node with the apiserver and launches PODs on it).
The issue was first reported by Fabricio Voznika and Mark Wolters of Google and posted to Github on Sep 13, 2021 (https://github.com/kubernetes/kubernetes/issues/104980 ).
This vulnerability allows attackers to abuse subPath property of the volumeMounts and access the entire host file system without using the hostPath feature originally intended for this capability.

Mitigation

The best way to avoid being affected is to completely disable VolumeSubPath functionality using --feature-gates=”VolumeSubPath=false” parameter of the Kubelet and the apiserver.

How to Know if Your Cluster is Affected

Since PODs, which utilizing the subPath, can potentially exploit this vulnerability, checking whether you are running a vulnerable version of Kubelet and whether you have PODs in your cluster that are utilizing this functionality would be key to understanding if your K8s is exposed to this threat.
To help K8s users understand if their K8s clusters are exposed to CVE-2021-25741, we have added a new feature to Kubescape - an open-source tool built to identify potential security issues in Kubernetes configuration. It now checks if your K8s clusters are exposed to CVE-2021-25741 and verifies that there are no pods in the cluster that might attempt to use the subPath function.
Simply install Kubescape from github -  and run the default set of tests including a test for this specific vulnerability.
 The results will appear in seconds -
You can also see exactly which PODs are the ones that are contributing to the exposure in the tool output:
You can also log in to the provided URL at the end of the scan and see all results in a full report with options for mitigations, managing alerts, and exposure over time:
Written by jkaftzan | We are a Kubernetes security innovator
Published by HackerNoon on 2021/09/24
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy