kubeadm may log bootstrap tokens before attempting to delete them #2287
Labels
area/security
kind/cleanup
Categorizes issue or PR as related to cleaning up code, process, or technical debt.
priority/backlog
Higher priority than priority/awaiting-more-evidence.
Milestone
What keywords did you search in kubeadm issues before filing this one?
token
,error
Is this a BUG REPORT or FEATURE REQUEST?
SECURITY REPORT
Summary:
kubeadm
'sdelete
command takes as input either a bootstrap token ID, or a full token. Before determining whether the input is just an id or a full token,kubeadm
logs the input usingklog
. If the deletion fails, the token would remain valid. An attacker who has access to the logs could use it to perform actions that require a bootstrap token, such as creating a cluster or joining nodes to an existing cluster.Kubernetes Version:
The vulnerable code is present in kubernetes 1.19. The specific line that contains the call to
klog
was last edited on 2019-03-24.Details:
The vulnerable code is in the
github.com/kubernetes
repository, in the filekubernetes/cmd/kubeadm/app/cmd/token.go
, at line 423. Here is the whole function:And here's the definition of the kubeadm command that calls that function (in the same file):
Impact:
An attacker who obtains a bootstrap token from the logs could use it to authenticate with
kubeadm
and create a new cluster or join nodes to an existing cluster, e.g. to use computing resources. An attacker could also perform other actions usingkubeadm
, e.g. listing or deleting other tokens.Additional information:
I have reported this vulnerability to HackerOne and they have informed me that based on the high attack complexity and low severity, they think this can be reported and fixed publicly.
I have opened a PR on kubernetes implementing a fix: kubernetes/kubernetes#94727
The text was updated successfully, but these errors were encountered: