CVE-2023-1260: Kube-apiserver: privesc
First published: Tue Mar 07 2023(Updated: )
''' We've discovered a privilege escalation issue in the OpenShift platform. Conditions for the privilege escalation: - a user must be granted the ability to "update, patch" the "pods/ephemeralcontainers" subresource - by default, NEITHER common users NOR Service Accounts are granted this permission by the platform - with the above permission, a user is able to patch a running pod they've got access to and bypass SCC admission - this means, a user can create a "privileged" container, which allows them obtaining access to the pod's node resources The step-by-step reproducer is described in <a href="https://issues.redhat.com/browse/OCPBUGS-7181">https://issues.redhat.com/browse/OCPBUGS-7181</a>. Affected OpenShift Container Platform versions: 4.10 and newer. Affected component: kube-apiserver (and the platforms that use it) The bug is located within the apiserver-library-go repository in the following module: <a href="https://github.com/openshift/apiserver-library-go/tree/master/pkg/securitycontextconstraints">https://github.com/openshift/apiserver-library-go/tree/master/pkg/securitycontextconstraints</a>. We are yet to determine how to fix it. The workaround is to remove the permissions to "update, patch" the "pods/ephemeralcontainers" subresource from any low-privileged users, if there are any that currently hold it. ''' From Stanislav Láznička
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openshift | <0:4.10.0-202308291228.p0.g26fdcdf.assembly.stream.el7 | 0:4.10.0-202308291228.p0.g26fdcdf.assembly.stream.el7 |
| redhat/openshift | <0:4.11.0-202307200925.p0.ga9da4a8.assembly.stream.el8 | 0:4.11.0-202307200925.p0.ga9da4a8.assembly.stream.el8 |
| redhat/openshift | <0:4.12.0-202307040929.p0.g1485cc9.assembly.stream.el9 | 0:4.12.0-202307040929.p0.g1485cc9.assembly.stream.el9 |
| redhat/openshift | <0:4.13.0-202307132344.p0.gf245ced.assembly.stream.el9 | 0:4.13.0-202307132344.p0.gf245ced.assembly.stream.el9 |
| Kubernetes Kube-apiserver | ||
| Redhat Openshift Container Platform | =4.10 | |
| Redhat Openshift Container Platform | =4.11 | |
| Redhat Openshift Container Platform | =4.12 | |
| Redhat Openshift Container Platform | =4.13 | |
| go/github.com/openshift/apiserver-library-go | <0.0.0-20230621 | 0.0.0-20230621 |
| redhat/github.com/openshift/apiserver-library-go 0.0.0 | <20230621 | 20230621 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2023-1260 https://nvd.nist.gov/vuln/detail/CVE-2023-1260
- https://bugzilla.redhat.com/show_bug.cgi?id=2176267
- https://access.redhat.com/errata/RHSA-2023:4898
- https://access.redhat.com/errata/RHSA-2023:4312
- https://access.redhat.com/errata/RHSA-2023:3976
- https://access.redhat.com/errata/RHSA-2023:4093
- https://access.redhat.com/security/cve/CVE-2023-1260
- https://security.netapp.com/advisory/ntap-20231020-0010/
- https://issues.redhat.com/browse/OCPBUGS-7181
- https://github.com/openshift/apiserver-library-go/tree/master/pkg/securitycontextconstraints
- https://access.redhat.com/security/cve/cve-2023-1260
- https://access.redhat.com/errata/RHSA-2023:5008
- https://github.com/advisories/GHSA-92hx-3mh6-hc49 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2023-1260
- https://github.com/openshift/apiserver-library-go/commit/a994128188486d2dce99a528fbcc017d276081e0
- https://security.netapp.com/advisory/ntap-20231020-0010
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2023-1260?
The severity of CVE-2023-1260 is critical, with a severity value of 9.1.
How does CVE-2023-1260 affect kube-apiserver?
CVE-2023-1260 is an authentication bypass vulnerability that affects kube-apiserver.
Who is affected by CVE-2023-1260?
Users of Kubernetes kube-apiserver and Redhat Openshift Container Platform versions 4.10, 4.11, 4.12, and 4.13 are affected by CVE-2023-1260.
What is the remedy for CVE-2023-1260 in github.com/openshift/apiserver-library-go?
The remedy for CVE-2023-1260 in github.com/openshift/apiserver-library-go is version 0.0.0-20230621.
Are there any references related to CVE-2023-1260?
Yes, you can find more information about CVE-2023-1260 in the following references: [RHSA-2023:3976](https://access.redhat.com/errata/RHSA-2023:3976), [RHSA-2023:4093](https://access.redhat.com/errata/RHSA-2023:4093), [RHSA-2023:4312](https://access.redhat.com/errata/RHSA-2023:4312).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/author
- agent/references
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-1260
- agent/software-canonical-lookup
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- collector/github-advisory
- source/GitHub
- alias/GHSA-92hx-3mh6-hc49
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- agent/last-modified-date
- agent/tags
- collector/github-advisory-latest
- package-manager/redhat
- vendor/kubernetes
- canonical/kubernetes kube-apiserver
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.10
- version/redhat openshift container platform/4.11
- version/redhat openshift container platform/4.12
- version/redhat openshift container platform/4.13
- package-manager/go