KCP Cache Server Unauthenticated Access Vulnerability

A vulnerability exists in KCP (Kubernetes Control Plane) versions prior to 0.30.3 and 0.29.3, where the cache server is exposed by the root shard without any authentication or authorization. This allows anyone with access to the root shard to read and write to the cache server. The vulnerability arises because the cache server is routed before any authentication or authorization checks are applied, creating a window where unauthorized access is possible.

Impact

Exploitation of this vulnerability allows for unauthenticated read and write access to the cache server. This could lead to unauthorized manipulation of cached objects and resources, with potential temporary privilege escalation due to a race condition when injecting malicious RBAC objects.

Reproduction

To reproduce this vulnerability, deploy KCP and ensure the root shard is accessible from untrusted networks. This can be done by exposing the shard's Service or Ingress on port 6443, or by setting the shard's external URL to a reachable address. Once the shard is exposed, the cache server can be accessed without authentication, allowing for unauthorized read and write operations.

Remediation

Users can upgrade to KCP versions 0.30.3 or 0.29.3, where this vulnerability has been fixed. For deployments where the root shard is exposed to untrusted networks, it is recommended to restrict access to the cache server at the network level, or to deploy the cache server separately with its own kubeconfig and restricted network access.