KubePlus Command Injection Vulnerability in KubeconfigGenerator Component

A command injection vulnerability has been identified in the KubePlus application, specifically within the kubeconfiggenerator component, all versions through 4.2.0. The issue arises in the '/registercrd' endpoint, where the 'chartName' parameter is improperly validated before being passed to the command execution function. This flaw allows attackers to inject arbitrary shell commands, which are executed with root privileges in the container. Additionally, the exploitation of this vulnerability enables the theft of ServiceAccount Tokens with cluster-admin rights.

Impact

Exploitation of this vulnerability allows for remote code execution as root in the kubeconfiggenerator container, theft of ServiceAccount Tokens with cluster-admin privileges, and unauthorized access to the Kubernetes API, potentially leading to a full cluster takeover.

Reproduction

To reproduce this vulnerability, first set up a KubePlus environment in a Kubernetes cluster. Once KubePlus is installed, forward the port for the kubeconfighelper service to access the HTTP interface. Then, send a request to the '/registercrd' endpoint with a malicious 'chartName' parameter that includes injected commands. After the command is executed, the same process can be used to steal the ServiceAccount Token by injecting a command that reads the token from its default location and writes it to a file, which can then be accessed and verified.

Remediation

There is currently no patched version available. As a workaround, restrict access to the kubeconfighelper service using a NetworkPolicy, reduce the privileges of the kubeplus-saas-provider ServiceAccount, and monitor for abnormal command execution in the kubeconfiggenerator container.