Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes

A high-severity security vulnerability in the Kyverno admission controller for container images could allow malicious actors to import a raft of nefarious code into cloud production environments.

The Kyverno admission controller offers a signature-verification mechanism designed to ensure that only signed, validated container images are being pulled into a given Kubernetes cluster. This can ward off any number of bad outcomes, given that boobytrapped container images can contain payloads as varied as cryptominers, rootkits, exploit kits for container escape and lateral movement, credential stealers, and more.

However, the bug (CVE-2022-47633) can be exploited to subvert that mechanism. “The vulnerability enables an attacker … to inject unsigned images into the protected cluster, bypassing the image verification policy,” explained researchers at ARMO, in a blog post on Dec. 21. The stakes are high: The attacker can effectively take control of a victim’s pod and use all of its assets and credentials, including the service account token to access the API server, they warned.

“The vulnerability enables a complete bypass of image signature verification. In the case of a Kubernetes cluster, this gives an attack a wide range of targets. Any workload can mount cluster secrets and data volumes,” Ben Hirschberg, CTO and co-founder of ARMO, tells Dark Reading. “This means the attacker can inject code that can steal data and credentials from the Kubernetes cluster of the victim. This also enables the attacker to inject his/her own code and use the CPU of the victim for things like cryptocurrency

Read more

Explore the site

More from the blog

Latest News