Yoke ATC Unauthenticated Webhook Vulnerability Allowing Unauthorized WASM Execution

A vulnerability exists in Yoke's Air Traffic Controller (ATC) component, specifically in versions through 0.19.0. The issue arises from ATC webhook endpoints that lack proper authentication, enabling any pod within the cluster network to send AdmissionReview requests directly to the webhook. This bypasses the authentication provided by the Kubernetes API Server, allowing attackers to execute WASM modules in the context of the ATC controller without authorization.

Impact

Exploitation of this vulnerability allows for unauthorized execution of WASM modules in the ATC controller context, which could access sensitive controller data. When combined with another vulnerability (VUL-001), it could enable the creation of arbitrary Kubernetes resources.

Reproduction

The vulnerability can be reproduced by deploying Yoke ATC in a Kubernetes cluster without network policies that restrict access to the ATC service. After deploying an example that triggers the vulnerability, an attacker can send crafted AdmissionReview requests from a pod in the cluster network to the ATC webhook endpoints, bypassing authentication and executing unauthorized WASM code.

Remediation

To address this vulnerability, deploy a NetworkPolicy that restricts access to the ATC service, allowing only the kube-apiserver to connect. Alternatively, use a service mesh to enforce mutual TLS between services or implement strict pod security policies to limit which pods can be created in the cluster.