Karmada Excessive Privileges Vulnerability in Pull Mode Clusters

A vulnerability exists in Karmada versions prior to 1.12.0, where pull mode clusters registered with the 'karmadactl register' command are granted excessive privileges. This allows an authenticated attacker to the Karmada cluster as a 'karmada-agent' to gain administrative rights over the entire federation system, including all registered member clusters. The issue arises because the 'karmada-agent' is assigned high-level RBAC permissions that inadvertently allow access to sensitive control plane resources. In Karmada v1.12.0 and later, this vulnerability has been addressed by restricting the permissions of pull mode member clusters, preventing agents from controlling other member clusters.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access across the entire Karmada federation system, including all member clusters.

Reproduction

To reproduce this vulnerability, register a pull mode cluster with Karmada using the 'karmadactl register' command. This will grant the 'karmada-agent' in that cluster excessive privileges on the control plane, including access to sensitive resources like secrets and cluster-wide permissions. Once the cluster is registered, the 'karmada-agent' can be used to manipulate resources or permissions in a way that exploits these excessive privileges.

Remediation

Users can upgrade to Karmada version 1.12.0 or later, where this vulnerability has been patched. Alternatively, Karmada administrators can manually adjust the RBAC permissions for pull mode member clusters to limit their access to control plane resources, following the guidance in the Karmada Component Permissions documentation.