Security Bug Allows Attackers to Brick Kubernetes Clusters

Kubernetes Clusters security bug

The vulnerability is triggered when a cloud container pulls a malicious image from a registry.

A vulnerability in one of the Go libraries that Kubernetes is based on could lead to denial of service (DoS) for the CRI-O and Podman container engines.

The bug (CVE-2021-20291) affects the Go library called “containers/storage.” According to Aviv Sasson, the security researcher at Palo Alto’s Unit 42 team who found the flaw, it can be triggered by placing a malicious image inside a registry; the DoS condition is created when that image is pulled from the registry by an unsuspecting user.

“Through this vulnerability, malicious actors could jeopardize any containerized infrastructure that relies on these vulnerable container engines, including Kubernetes and OpenShift,” Sasson said in a Wednesday posting.

CRI-O and Podman are container images, similar to Docker, that are used to perform actions and manage containers in the cloud. The containers/storage library is used by CRI-O and Podman to handle storage and download of container images.

When the vulnerability is triggered, CRI-O fails to pull new images, start any new containers (even if they are already pulled), retrieve local images lists or kill containers, according to the researcher.

Podman meanwhile will fail to pull new images, retrieve running pods, start new containers (even if they are already pulled), exec into containers, retrieve existing images or kill existing containers, he said.

The impact could be fairly wide: “As of Kubernetes v1.20, Docker is deprecated and the only container engines supported are CRI-O and Containerd,” Sasson explained. “This leads to a situation in which many clusters use CRI-O and are vulnerable. In an attack scenario, an adversary may pull a malicious image to multiple different nodes, crashing all of them and breaking the cluster without leaving a way to fix the issue other than restarting the nodes.”