Kyverno Subject and Issuer Regular Expression Ignorance Vulnerability in Keyless Verification

A vulnerability exists in Kyverno versions 1.13.0 through 1.13.5 and prior to 1.14.0-alpha.1, where the policy engine disregards the subjectRegExp and issuerRegExp fields during artifact signature verification in keyless mode. This oversight allows attackers to deploy Kubernetes resources using artifacts signed by unauthorized certificates. The deployment of such resources could lead to a complete compromise of the Kubernetes cluster.

Impact

Exploiting this vulnerability could result in unauthorized Kubernetes resources being deployed, potentially compromising the entire Kubernetes cluster.

Reproduction

To reproduce this vulnerability, first, create a self-signed certificate chain, including a root CA and an intermediate CA. Then, generate a leaf certificate to sign an image, using regular expressions that do not match the actual certificate details. After pushing the signed image to a container registry, import the signing key into Kyverno and deploy the image. The deployment will succeed, bypassing the regular expression validation.

Remediation

Users can upgrade to Kyverno versions 1.13.6 or 1.14.0 to address this vulnerability.