======================================================================

                              CERT-Renater

                   Note d'Information No. 2024/VULN482
_____________________________________________________________________

DATE                : 20/11/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running kubelet versions prior to 1.31.0,
                                 1.30.3, 1.29.7, 1.28.12.

=====================================================================
https://groups.google.com/g/kubernetes-security-announce/c/ptNgV5Necko
_____________________________________________________________________

Hello Kubernetes Community,

A security vulnerability was discovered in Kubernetes that could
allow a user with the ability to create a pod and associate a
gitRepo volume to execute arbitrary commands beyond the container
boundary. This vulnerability leverages the hooks folder in the
target repository to run arbitrary commands outside of the
container's boundary.

Please note that this issue was originally publicly disclosed with
a fix in July (#124531), and we are retroactively assigning it a CVE
to assist in awareness and tracking.

This issue has been rated High
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) (score: 8.1),
and assigned CVE-2024-10220.


Am I vulnerable?

This CVE affects Kubernetes clusters where pods use the in-tree
gitRepo volume to clone a repository to a subdirectory. If the
*Kubernetes cluster is running one of the affected versions
listed below, then it is vulnerable to this issue.


Affected Versions

     kubelet v1.30.0 to v1.30.2

     kubelet v1.29.0 to v1.29.6

     kubelet <= v1.28.11


How do I mitigate this vulnerability?

To mitigate this vulnerability, you must upgrade your Kubernetes
cluster to one of the fixed versions listed below.
Additionally, since the gitRepo volume has been deprecated, the
recommended solution is to perform the Git clone operation using
an init container and then mount the directory into the Pod's
container. An example of this approach is provided here.


Fixed Versions

     kubelet v1.31.0

     kubelet v1.30.3

     kubelet v1.29.7

     kubelet v1.28.12


Detection

To detect whether this vulnerability has been exploited, you can
use the following command to list all pods that use the in-tree
gitRepo volume and clones to a .git subdirectory.
kubectl get pods --all-namespaces -o json | jq '.items[] | 
select(.spec.volumes[].gitRepo.directory | endswith("/.git")) | {name: 
.metadata.name, namespace: .metadata.namespace}

If you find evidence that this vulnerability has been exploited,
please contact secu...@kubernetes.io


Additional Details

See the GitHub issue for more details: 
https://github.com/kubernetes/kubernetes/issues/128885

Acknowledgements

This vulnerability was reported and mitigated by Imre Rad.

Thank You,

Craig Ingram on behalf of the Kubernetes Security Response
Committee


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================