Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
January 13, 2023 - TuxCare expert team
According to ARMO researchers, The Kyverno admission controller for container images has a high-severity security vulnerability.
Using a malicious image repository or MITM proxy, the bug (CVE-2022-47633) can be exploited to allow an attacker to inject unsigned images into the protected cluster, bypassing the image verification policy.
The flaw could allow attackers to inject malicious code into cloud production environments. Whereby users can use the open-source Kubernetes policy engine Kyverno, which Red Hat maintains on GitHub, to define and enforce policies for their cluster and applications.
Kyverno can be used to ensure that the resources, applications, and other components of a cluster meet operational, security, and compliance requirements. Successful exploitation of the vulnerability could lead to a supply chain problem.
A malicious image registry (or a man-in-the-middle attacker) can inject unsigned arbitrary container images into a protected Kubernetes cluster via the image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4. Because of the use of verifyImages rules for verification, which cannot prevent unknown registries, the vulnerability was introduced in Kyverno version 1.8.3.
According to ARMO researchers, the vulnerability arises because the controller’s signature validation process downloads the image manifest twice but only verifies a signature for one of the downloads.
According to the researchers, after the attack, the hacker can successfully assume command of a victim’s pod and use all of its resources and credentials, including the service account token, to access the API server. By using a malicious image repository or MITM proxy to return a different manifest for the verification process, the validation process was circumvented.
The attackers used social engineering to convince an administrator to insert malicious images into containers. These images are then hosted on compromised accounts, and phishing attacks are used to trick users into using them as well. When the image is first imported, the malicious registry returns to the admission controller a valid image.
The admission controller, on the other hand, demands the manifest of the signed image a second time in order to obtain the digest for mutation; that is, to update the container’s human-readable tag. This time, no signing validation is performed, enabling the malicious registry to return a different, unsigned and malicious image, which is finally spun up and run.
The vulnerability has been addressed in version 1.8.5 by guaranteeing that the same image hash used to authenticate signatures is also employed to modify the workload specification.
The sources for this piece include an article in DarkReading.
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...