JwtSigKey hardcoded causes the k8s cluster to take over in kubeoperator/kubepi

Valid

Reported on

Jan 2nd 2023

Description

The jwt authentication function of kubepi <= v1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Further use the administrator to take over the k8s cluster of the target enterprise.

Proof of Concept

The hard-coded jwtSigKey value of kubepi is signature_hmac_secret_shared_key, so it only needs to sign the forged jwt token.

Taking kubepi deployed on zhgd-kubepi.xingshicloud.com as an example, an attacker can forge the following jwt tokens:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml 0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5 hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfSwiaWF0IjoxNjcyNjUxNzc2LCJleHAiOjE3ODM2NTIzNzZ9.i-83qNf6pGJkUYdZCk nHeTG6PsYKc1FRyjrRcPJUKvI

After the administrator account is successfully taken over, you can take over the k8s cluster

Impact

An attacker can forge any jwt token to take over the administrator account of any online project. Further use the administrator to take over the k8s cluster of the target enterprise.

Occurrences

session.go L35

The use of hard-coded JwtSigKey allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code.

We are processing your report and will contact the kubeoperator/kubepi team within 24 hours. 7 days ago

Re modified the report

7 days ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 6 days ago

We have contacted a member of the kubeoperator/kubepi team and are waiting to hear back 5 days ago

commented 5 days ago

Researcher

I noticed that kubepi has officially released a bug repair notice, why is the status of the report still awaiting review ?

commented 5 days ago

Researcher

Am I eligible for the prize pot ? :)

A kubeoperator/kubepi maintainer validated this vulnerability 3 days ago

Re has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A kubeoperator/kubepi maintainer marked this as fixed in v1.6.3 with commit 3be58b 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A kubeoperator/kubepi maintainer published this vulnerability 3 days ago

session.go#L35 has been validated

A kubeoperator/kubepi maintainer

commented 3 days ago

Maintainer

The vulnerability has been fixed and CVE-2023-22463 has been issued, thanks for your report.

to join this conversation

We are processing your report and will contact the kubeoperator/kubepi team within 24 hours. 7 days ago

Re modified the report

7 days ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 6 days ago

We have contacted a member of the kubeoperator/kubepi team and are waiting to hear back 5 days ago

commented 5 days ago

Researcher

I noticed that kubepi has officially released a bug repair notice, why is the status of the report still awaiting review ?

commented 5 days ago

Researcher

Am I eligible for the prize pot ? :)

A kubeoperator/kubepi maintainer validated this vulnerability 3 days ago

Re has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A kubeoperator/kubepi maintainer marked this as fixed in v1.6.3 with commit 3be58b 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A kubeoperator/kubepi maintainer published this vulnerability 3 days ago

session.go#L35 has been validated

A kubeoperator/kubepi maintainer

commented 3 days ago

Maintainer

The vulnerability has been fixed and CVE-2023-22463 has been issued, thanks for your report.

to join this conversation