chaosctl tool and port. Some cloud infrastructure providers that offer Chaos-Mesh implementations as part of their managed Kubernetes Services, such as Azure Chaos Studio, are also impacted. Chaos-Mesh was designed to orchestrate fault scenarios that could impact infrastructure and applications. The researchers observed that one core component of Chaos-Mesh, the Controller Manager, exposed a GraphQL server that didn’t enforce authentication for queries.As a result, an attacker with network access on the cluster, even via an unprivileged pod, could send commands to the Chaos Daemon component through Controller Manager to inject faults.One built-in command, or “mutation,” called killProcesses can shut down processes on other pods, including important ones such as the Kubernetes storage provisioner pod or the API server pod. If these pods are disabled, the entire cluster suffers a denial of service.
OS command injection and lateral movement: Some mutations, such as cleanTcs, killProcesses, and cleanIptables, allow appended shell commands to execute on targeted pods. Attackers can use this functionality to perform OS command injections and achieve lateral movement by extracting Service Account Tokens from those pods.The Chaos Daemon mounts each pod’s filesystem under a /proc/<PID>/root file path to facilitate executing commands on them. An attacker in control of the Chaos Daemon can simply cycle through the PIDs of all pods to extract their Service Account Tokens, which are stored at a specific path in their filesystems: /proc/<PID>/root/var/run/secrets/kubernetes.io/serviceaccount/token. These tokens can then be used with the Kubernetes kubectl tool to execute arbitrary commands on them.”We recommend Chaos-Mesh users to upgrade swiftly since these vulnerabilities are extremely easy to exploit and lead to total cluster takeover while having only cluster network access,” the researchers said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4058158/chaos-mesh-flaws-put-kubernetes-clusters-at-risk-of-full-takeover.html
