=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN206

_____________________________________________________________________

DATE                : 01/06/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kubernetes secrets-store-csi-driver
                                    versions prior to 1.3.3.

=====================================================================
https://discuss.kubernetes.io/t/security-advisory-cve-2023-2878-secrets-store-csi-driver-discloses-service-account-tokens-in-logs/24336
_____________________________________________________________________

[Security Advisory] CVE-2023-2878: secrets-store-csi-driver discloses
service account tokens in logs

  enj May 25, 2023, 8:54pm 1

Hello Kubernetes Community,

A security issue was discovered in secrets-store-csi-driver where
an actor with access to the driver logs could observe service
account tokens. These tokens could then potentially be exchanged
with external cloud providers to access secrets stored in cloud
vault solutions. Tokens are only logged when TokenRequests is
configured in the CSIDriver object and the driver is set to run
at log level 2 or greater via the -v flag.

This issue has been rated MEDIUM 
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (6.5), and assigned 
CVE-2023-2878


Am I vulnerable?

You may be vulnerable if TokenRequests is configured in the
CSIDriver object and the driver is set to run at log level 2
or greater via the -v flag.

To check if token requests are configured, run the following
command:

kubectl get csidriver secrets-store.csi.k8s.io -o 
jsonpath="{.spec.tokenRequests}"

To check if tokens are being logged, examine the secrets-store
container log:

kubectl logs -l app=secrets-store-csi-driver -c secrets-store -f | grep 
--line-buffered "csi.storage.k8s.io/serviceAccount.tokens"



Affected Versions

     secrets-store-csi-driver < 1.3.3

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by
running secrets-store-csi-driver at log level 0 or 1 via
the -v flag.


Fixed Versions

     secrets-store-csi-driver >= 1.3.3

To upgrade, refer to the documentation:
https://secrets-store-csi-driver.sigs.k8s.io/getting-started/upgrades.html#upgrades


Detection

Examine cloud provider logs for unexpected token exchanges, as
well as unexpected access to cloud vault secrets.

If you find evidence that this vulnerability has been exploited,
please contact security@kubernetes.io


Acknowledgements

This vulnerability was reported by Tomer Shaiman @tshaiman from
Microsoft.


Thank You,
Mo Khan on behalf of the Kubernetes Security Response Committee


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================