JwtSigKey hardcoded causes the k8s cluster to take over in kubeoperator/kubepi

Valid

Reported on

Jan 2nd 2023


Description

The jwt authentication function of kubepi <= v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Further use the administrator to take over the k8s cluster of the target enterprise.

Proof of Concept

The hard-coded jwtSigKey value of kubepi is signature_hmac_secret_shared_key, so it only needs to sign the forged jwt token.

Taking kubepi deployed on zhgd-kubepi.xingshicloud.com as an example, an attacker can forge the following jwt tokens:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml 0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5 hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNjcyNjUxNzc2LCJleHAiOjE3ODM2NTIzNzZ9.i-83qNf6pGJkUYdZCk nHeTG6PsYKc1FRyjrRcPJUKvI

After the administrator account is successfully taken over, you can take over the k8s cluster PoC.png

Impact

An attacker can forge any jwt token to take over the administrator account of any online project. Further use the administrator to take over the k8s cluster of the target enterprise.

Occurrences

The use of hard-coded JwtSigKey allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.

We are processing your report and will contact the kubeoperator/kubepi team within 24 hours. 7 days ago
Re modified the report
7 days ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 6 days ago
We have contacted a member of the kubeoperator/kubepi team and are waiting to hear back 5 days ago
Re
5 days ago

Researcher


I noticed that kubepi has officially released a bug repair notice, why is the status of the report still awaiting review ?

Re
5 days ago

Researcher


Am I eligible for the prize pot ? :)

kubeoperator/kubepi maintainer validated this vulnerability 3 days ago
Re has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kubeoperator/kubepi maintainer marked this as fixed in v1.6.3 with commit 3be58b 3 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
kubeoperator/kubepi maintainer published this vulnerability 3 days ago
session.go#L35 has been validated
kubeoperator/kubepi maintainer
3 days ago

Maintainer


The vulnerability has been fixed and CVE-2023-22463 has been issued, thanks for your report.

to join this conversation