A new vulnerability in the Kubernetes `gitRepo` volume, disclosed on November 22, 2024, allows attackers to execute arbitrary code and escalate privileges, leading to potential container escapes. By exploiting this flaw, an attacker can execute code as the root user on the Kubernetes node. The vulnerability leverages a specifically crafted Git repository and can be exploited via supply chain attacks or compromised cluster service accounts. Affected: Kubernetes, container security.
Keypoints :
- A vulnerability in the `gitRepo` volume was disclosed, enabling arbitrary code execution.
- This vulnerability allows privilege escalation, allowing attackers to run code as the root user on Kubernetes nodes.
- Exploitation requires a mounted `gitRepo` volume linked to a specifically crafted Git repository.
- Despite being deprecated, the `gitRepo` volume remains enabled by default in Kubernetes.
- Involves specifically crafted Git hooks, particularly the `post-checkout` hook to execute arbitrary code.
- Attack vectors include supply chain attacks or using compromised cluster service account tokens.
- Mitigations include upgrading Kubelet, using init-containers, and implementing Validating Admission Policies.
- Audit policies and monitoring solutions can be implemented to detect and track usage of vulnerable Git repositories.
MITRE Techniques :
- Tactic: Privilege Escalation – Technique: T1611 — Escape to Host. The vulnerability allows an attacker to escape from a container to the host node, executing code as the root user.
Indicator of Compromise :
- URL: https://github.com/filipzag/CVE-2024-10220