KubeAI Ollama Engine Command Injection Vulnerability in Kubernetes Startup Probe

A command injection vulnerability has been identified in KubeAI versions prior to 0.23.2. The issue arises in the Ollama engine's startup probe, where the 'ollamaStartupProbeScript()' function constructs a shell command using unsanitized model URL components. This command is executed in model server pods as part of the Kubernetes startup probe. An attacker with the ability to create or update Model custom resources can inject arbitrary shell commands that are executed inside the pods.

Impact

Exploitation of this vulnerability allows for arbitrary command execution in model server pods. This could lead to unauthorized access to environment variables, mounted secrets, and service account tokens. In a multi-tenant Kubernetes cluster, a tenant with Model creation permissions could execute commands in model pods, potentially accessing sensitive information or moving laterally to other cluster resources.

Reproduction

To reproduce this vulnerability, create a Model custom resource with a URL that includes shell metacharacters in the 'ref' component or inject commands through the '?model=' query parameter. The injected commands will be executed in the model server pod's environment.

Remediation

Users are advised to update KubeAI to version 0.23.2 or later. For those unable to update, consider validating or sanitizing model URL components before they are used in shell commands.