Yoke ATC Component Arbitrary WASM Code Execution Vulnerability

A vulnerability in the Air Traffic Controller (ATC) component of Yoke, an infrastructure-as-code package deployer, allows users with Custom Resource (CR) create/update permissions to execute arbitrary WebAssembly (WASM) code. This is achieved by injecting a malicious URL through the 'overrides.yoke.cd/flight' annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling the creation of arbitrary Kubernetes resources or potential escalation of privileges to cluster-admin level.

Impact

Exploitation of this vulnerability allows for remote code execution within the ATC controller context, with the executed code capable of creating or modifying Kubernetes resources. Additionally, if ClusterAccess is enabled, the malicious code could read cluster secrets, further escalating privileges to cluster-admin.

Reproduction

The vulnerability can be reproduced by creating a Backend Custom Resource with a 'overrides.yoke.cd/flight' annotation that points to a malicious WASM module. The ATC controller will download and execute the WASM module, which can then create a ConfigMap as proof of exploitation.

Remediation

Users are advised to disable the 'overrides.yoke.cd/flight' annotation processing in production environments, restrict the ATC controller's outbound network access, limit CR create/update permissions to trusted users, and deploy a validating admission webhook to reject CRs with the 'overrides.yoke.cd/flight' annotation.