Introduction
This week two new vulnerabilities in the third party Kubernetes ecosystem have been announced for Bare Metal Operator (BMO) and Fluid. On their own, these tools don’t have large followings on GitHub, but as part of the longer list of recent CVEs in third party Kubernetes tooling, these CVEs demonstrate the breadth and potential impact of the Kubernetes ecosystem. Other recent CVEs include Clusternet, the Jenkins plugin (rated Medium), CubeFS, and Crossplane (rated High). As a result of the CVEs coming out, we released the first standard for a Kubernetes Bill of Materials (KBOM). We are looking for contributions and comments.
What are Fluid and Bare Metal Operator (BMO)?
Fluid is a CNCF sandbox project with a purpose-built alternative to managing data and storage in Kubernetes for the purposes of big data and AI applications. It provides an abstraction layer for data from storage resources to help with the efficiency and scale required to manage large amounts of data across multiple storage resources, referring to its own capabilities as ‘dataset orchestration and acceleration.’ With 1.3 thousand stars on GitHub, it is not the most used CNCF project, but neither is it the least. By comparison, Falco, a popular open source runtime tool, has 5.9 thousand stars.
Fluid’s potential application in Kubernetes for AI use-cases underscores the usage of Kubernetes as a powerful entity in making new AI companies and use-cases possible. OpenAI wrote about it’s usage of Kubernetes in 2021, and more information has come out since detailing its Azure environment and more. This vulnerability could be relevant for more than a few of the new AI companies hopping on the train of GPT and OpenAI.
BMO has much less GitHub stars, comparatively, at 427 GitHub stars, but its use case is very different, as a tool to help run Kubernetes on bare metal. BMO implements a Kubernetes API so it can provision on bare metal hosts, as well as run basic usage and performance analyses. A recent report found that 20% of Kubernetes deployments are run on bare metal, which is not a small amount, considering the broad usage of Kubernetes across the board.
How do the vulnerabilities work?
CVE 2023-30840 for Fluid contains a few pre-requisites for the attacker that make exploiting the vulnerability less likely. First, an attacker would have to gain access to a node running Fluid on its own and, once it’s in, would also have to use a separate means to identify other nodes to compromise. If the attacker has access to the node running Fluid, it can use the Kubernetes service account for Fluid to modify the spec of any node in the cluster. This means that they can manipulate system-level privileged components to access all secrets in the cluster, execute pods on another node or gain privileged access across an entire cluster. This vulnerability currently has no rating.
CVE-2023-30841 for BMO is rated Medium and causes exposure of usernames and passwords through allowing a configuration of the '.htpasswd' file to be stored as a ConfigMap instead of Secrets. The usernames and passwords would be shown in plain-text, readable by anyone who can view the ConfigMap, which would be anybody who has “cluster-wide read access to the management cluster or access to the management cluster's Etcd storage.”
What you should do
For Fluid, versions 0.7.0-0.8.6 are vulnerable so the recommendation is to update to version 0.8.6 for the patch. For other workarounds, check out the GitHub issue.
For BMO, the vulnerability shows up in versions prior to 0.3.0 so the recommendation is to update to version 0.3.0. For workarounds and other details, check out the BMO vendor advisory.
How KSOC can help
KSOC can both help to scan the related images for the vulnerability in production as well as show the cluster’s overall configuration, including where the tools are being used, via the new KBOM standard. For Fluid, the KBOM will help identify when a cluster is running the csi-nodeplugin-fluid node-daemonset because it lists daemonsets as part of the output. And for BMO, the KBOM should help identify whether .htpasswd file is stored as a ConfigMap as KBOM documents ConfigMap information in the output.
Conclusion
Vulnerabilities such as the ones for Fluid and BMO are a new regularity, so it is critical that platform engineering and cloud security teams get organized around their clusters’ configurations, as well as use Kubernetes-centric security tooling to identify any attacks or exploits of these vulnerabilities in real-timehttps://ksoc.com/blog/you-cant-secure-kubernetes-unless-its-in-real-time.