Feiskyer MCP-Kubernetes-Server OS Command Injection Vulnerability

A command injection vulnerability has been identified in Feiskyer MCP-Kubernetes-Server versions through 0.1.11. The issue arises in the MCP tool 'kubectl', which is intended for safe interaction with Kubernetes clusters. However, the tool's command validation is flawed, allowing attackers to inject and execute arbitrary OS commands on the server hosting the MCP application. This vulnerability exists even in read-only mode, as the server's security flags can be bypassed to perform destructive actions on the Kubernetes cluster.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the MCP-Kubernetes-Server is running. This could lead to a full system compromise and unauthorized access to the Kubernetes cluster and its resources.

Reproduction

The vulnerability can be reproduced by sending a command to the 'kubectl' tool that includes shell metacharacters, such as semicolons, to chain commands. The first command must be a legitimate 'kubectl' command to bypass the initial validation, followed by a malicious command. This can also be done indirectly by embedding a prompt into a pod's log, which a vulnerable LLM client might execute, resulting in command injection.

Remediation

To address this vulnerability, the 'command.py' module should be revised to prevent the use of 'shell=True' in subprocess.run calls. Instead, commands and their arguments should be passed as a list. Additionally, user-provided inputs must be validated against a whitelist of safe 'kubectl' commands and parameters, rejecting or stripping command chaining metacharacters.