Kube Resource Orchestrator Confused Deputy Vulnerability Leading to Remote Code Execution
Vulnerability
A remote code execution vulnerability has been identified in Kube Resource Orchestrator (kro) versions 0.1.0 prior to 0.2.1. The issue arises from the ability of users with permission to create or modify ResourceGraphDefinition resources to supply arbitrary container images. This vulnerability creates a confused-deputy scenario, where kro's controllers inadvertently deploy and execute attacker-controlled images on cluster nodes, allowing for unauthenticated remote code execution.
Impact
Exploitation of this vulnerability allows for unauthenticated remote code execution on cluster nodes by deploying malicious container images through kro's Custom Resource Definitions.
Reproduction
To reproduce this vulnerability, a user with cluster-admin permissions can create a ResourceGraphDefinition that includes a malicious container image. Once the RGD is applied, kro's controller will deploy the specified image, leading to remote code execution on the cluster node.
Remediation
Users are advised to update to Kube Resource Orchestrator version 0.2.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.