Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label OpenShift. Show all posts

Red Hat OpenShift Users Urged to Patch Critical Build Flaws

 


Over 3,000 of Red Hat OpenShift's customers, including a significant portion of the Global Fortune 500, are trusting the platform because of its robust security features and its industry-leading hybrid cloud platform. However, two critical vulnerabilities in OpenShift could adversely affect the platform's security. 

It has been recently discovered that two vulnerabilities have been exploited in the OpenShift Container Platform's build process - CVE-2024-45496 and CVE-2024-7387 - which would allow an attacker to run arbitrary commands on affected nodes and potentially escalate system privileges. An open-source project, OpenShift, has been found to contain a security flaw. 

OpenShift Container Platform's build process suffers from this issue because elevated privileges weren't properly used when building the platform. A privileged security context is applied to the git-clone container during the build initialization step: this allows permissions to be granted to unrestricted access to the node during the build. 

A developer with developer-level access to a worker node can compromise a worker node by delivering a crafted .gitconfig file containing commands carried out during the cloning process. This results in arbitrary commands being executed on the worker node. There is a possibility that a malicious code could be run inside a privileged container that would escalate the attacker's permissions on the node that runs the container. 

OpenShift enables developers to execute arbitrary commands in a privileged container by enabling the "Custom" build strategy available in all platform versions. In the documentation, it is explicitly warned that this setting should only be enabled by trusted users (for example cluster administrators) and that it should not be enabled by default. Accordingly, this vulnerability is not considered to be a privilege escalation path under the "Custom" strategy constructs. 

As far as Microshift is concerned, this vulnerability does not affect them. It should be noted that MicroShift does not include this OpenShift API by default. It is not known whether this vulnerability affects the builds for Red Hat OpenShift Operator based on Shipwright. It is a severe vulnerability in OpenShift's build process, which has received a CVSS score of 9.9. This is a CVSS code 9.9 that will impact the build process. 

During the initialization of a build, there is an elevated privilege vulnerability that arises due to the git-clone container running with a privileged security context when it is supposed to run with normal privileges. By exploiting this vulnerability, an attacker with developer-level access could inject malicious code into a .gitconfig file and execute any command they wish on the worker node as a result. 

Red Hat's advisory emphasizes that even though this vulnerability poses a significant threat to OpenShift, it does not impact custom builds, because custom builds already allow developers to execute arbitrary commands in privileged containers, even if the development environment is not secure. In the documentation, it is highlighted that this strategy is disabled by default and that it should only be enabled by users with a high level of trust, such as cluster administrators, to ensure the highest level of security. 

Secondly, there is CVE-2024-7387, which has a CVSS score of 9.1, which introduces another serious risk to OpenShift environments due to this vulnerability. By exploiting the spec.source.secrets.secret.destination attribute in the BuildConfig definition, this flaw enables the creation of commands via path traversal, leading to command injection. Using the privileged build container as a means to execute arbitrary commands on the host machine, malicious users can overwrite executable files inside it, which can lead to the execution of arbitrary commands on that host machine. 

The vulnerability, as well as CVE-2024-45496, has been classified by Red Hat as a “do not consider privilege escalation path” when used with the "Custom" build strategy, which is restricted by default to trusted users as well. A similar vulnerability has been discovered in Shipwright-based Builds for Red Hat OpenShift Operator, although it does not affect MicroShift and the Shipwright-based Builds for Red Hat OpenShift Operator. 

Both vulnerabilities are expected to be patched by Red Hat shortly. Additionally, Red Hat recommends that cluster administrators restrict the use of the affected build strategies ("Docker", and "Source") until the updates can be applied to users who are highly trusted, before applying the patches. It is evident from these vulnerabilities that software should be kept up-to-date as well as following security best practices to prevent and mitigate the risks of these vulnerabilities. The organizations that utilize OpenShift should move quickly to secure their clusters from any potential attacks that might be launched against them.