CVE-2019-11244: kubectl --http-cache=<world-accessible dir> creates world-writeable cached schema files

[jzebor]

In kubectl v1.8.0+, schema info is cached in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-).

If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

CVSS score: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N (3.3, low)

What versions are affected?
kubectl v1.8.0+

What configurations are affected?
Invocations that point --cache-dir at world-writeable locations

Impact
Malformed responses written to the cache directory can disrupt the kubectl invocation

Workaround
Use the default --http-cache location in the $HOME directory or point it at a directory that is only accessible to desired users/groups.

(original description follows) ====
What happened: The files inside of ".kube/http-cache" are world writeable (rw-rw-rw-). While the default for these files appears to be the home directory, using the "--cache-dir" flag could put these files into a place where world writeable files would allow any user / process to modify the cache files. Modification of the cache files could influence the kubectl utility in a negative way for other users.

What you expected to happen: Apply stricter file permissions to the http-cache files.

How to reproduce it (as minimally and precisely as possible): Run any generic kubectl command which is successful and then list the cache directory ~/.kube/http-cache/*

$ kubectl get pods --all-namespaces
$ ls -la ~/.kube/http-cache/*

Anything else we need to know?: I estimate this is a low severity security issue with a CVSS score of "3.3 / CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Environment: Linux

Kubernetes version (use kubectl version):Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.6", GitCommit:"ab91afd7062d4240e95e51ac00a18bd58fddd365", GitTreeState:"clean", BuildDate:"2019-02-26T12:49:28Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.6", GitCommit:"ab91afd7062d4240e95e51ac00a18bd58fddd365", GitTreeState:"clean", BuildDate:"2019-02-26T12:49:28Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider or hardware configuration: AWS. Running kube api server in hyperkube.

OS (e.g: cat /etc/os-release):
NAME="CentOS Linux"
VERSION="7.1808 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7.1808 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
OSTREE_VERSION=7.1808

Kernel (e.g. uname -a): Linux hackit.internal 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Install tools: Manual installation.

Others: n/a

[jzebor]

/sig product-security

[k8s-ci-robot]

@neolit123: Closing this issue.

In response to this:

@jzebor if you think this is serious, send an email https://kubernetes.io/docs/reference/issues-security/security/#report-a-vulnerability
thanks!

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[liggitt]

Adjusted the CVSS score to https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N to indicate user interaction is required (since they must specify a non-default cache option pointed at a shared writeable location)

[liggitt]

There are two places this should be done:

PathPerm and FilePerm should be set here:
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/discovery/cached/disk/round_tripper.go#L37-L40

the temp file and final file should have stricter permissions (probably 0660) here:
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/discovery/cached/disk/cached_discovery.go#L184-L194

[liggitt]

/cc @deads2k @caesarxuchao

[fedebongio]

/help

[k8s-ci-robot]

@fedebongio:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[stealthybox]

/assign

[yuchengwu]

/assign
I would like to work on release-1.9, as I just made a hot fix for our team's k8s version of 1.9.

[k8s-ci-robot]

@yuchengwu: GitHub didn't allow me to assign the following users: yuchengwu.

Note that only kubernetes members and repo collaborators can be assigned and that issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign
I would like to work on release-1.9, as I just made a hot fix for our team's k8s version of 1.9.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[liggitt]

I would like to work on release-1.9, as I just made a hot fix for our team's k8s version of 1.9.

help fixing this is welcome, though it would only be fixed in releases 1.12+, per https://kubernetes.io/docs/setup/version-skew-policy/#supported-versions

[PushkarJ]

/label official-cve-feed

(Related to kubernetes/sig-security#1)