LoxiLB Incorrect Access Control Vulnerability Allowing Privilege Escalation

An incorrect access control vulnerability has been identified in LoxiLB versions through 0.9.7. This vulnerability allows attackers to access sensitive information by exploiting inadequate permission management. Once attackers gain access to the service account's token, they can read any secrets within the Kubernetes cluster. This exploitation can lead to unauthorized privilege escalation at the cluster level, potentially allowing attackers to take over the entire cluster.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive secrets in the Kubernetes cluster, followed by a privilege escalation that could lead to a complete takeover of the cluster.

Reproduction

To reproduce this vulnerability, a malicious user must first obtain the ServiceAccount token from a pod running on a worker node. This can be achieved by exploiting a DaemonSet associated with the 'hwameistor' project, which has excessive permissions on node resources. Once the token is acquired, it can be used to authenticate with the Kubernetes API server as a legitimate user, granting access to all secrets in the cluster. The sensitive information obtained can then be used to escalate privileges and potentially take over the entire cluster.

Remediation

Users can update to LoxiLB version 0.9.8.3 or later, where this vulnerability has been addressed.