Kubernetes: CVE-2019-11250 remains in effect.

2020-08-0617:42:21

purelyapplied

hackerone.com

EPSS

0.002

Percentile

53.9%

JSON

Report Submission Form

Summary:

“CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs” remains in effect.

Kubernetes Version:

Effects at least all versions since 1.4.

This was determined with some git archaeology. This was determined by following the code snippet from it’s current location in kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go
The snippet was last meaningfully modified
It’s current location in The snippet remains relatively unchanged since

Component Version:

I’m not sure.

Steps To Reproduce:

Spin up a cluster with high verbosity: klog.V(9).Enabled()
Watch logs round_trippers.go curl -k -v -X<> -H "Authorization: <token>" <...>

I was having trouble getting a cluster spun up, so I have not managed a live reproduction.

Supporting Material/References:

[Issue #81146: Kubernetes 3rd Party Security Audit Findings]
(https://github.com/kubernetes/kubernetes/issues/81146)

[Issue #81114: CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs]
(https://github.com/kubernetes/kubernetes/issues/81114)

[Partial fix for #81114: PR #81330]
(https://github.com/kubernetes/kubernetes/pull/81330).
Note that only debuggingRoundTripper.RoundTrip only masks headers in the if rt.levels[debugRequestHeaders] block, exposure is also present in the
if rt.levels[debugCurlCommand] {klog.Infof("%s", reqInfo.toCurl())} preceding it.

At kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go:416:

func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
	reqInfo := newRequestInfo(req)

	if rt.levels[debugJustURL] {
		klog.Infof("%s %s", reqInfo.RequestVerb, reqInfo.RequestURL)
	}
	if rt.levels[debugCurlCommand] {
		klog.Infof("%s", reqInfo.toCurl())
	}
	if rt.levels[debugRequestHeaders] {
		klog.Infof("Request Headers:")
		for key, values := range reqInfo.RequestHeaders {
			for _, value := range values {
				value = maskValue(key, value)
				klog.Infof("    %s: %s", key, value)
			}
		}
	}
	// &lt;function continues&gt;
}

At kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go:338:

// toCurl returns a string that can be run as a command in a terminal (minus the body)
func (r *requestInfo) toCurl() string {
	headers := ""
	for key, values := range r.RequestHeaders {
		for _, value := range values {
			headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
		}
	}

	return fmt.Sprintf("curl -k -v -X%s %s '%s'", r.RequestVerb, headers, r.RequestURL)
}

Correction will be a one-line diff to use maskValue in this loop as well.

Impact

> Alice logs into a Kubernetes cluster and is issued a Bearer token. The system logs her
token. Eve, who has access to the logs but not the production Kubernetes cluster, replays
Alice’s Bearer token, and can masquerade as Alice to the cluster.