CVE-2022-0759 VULNERABILITY: `Config` defaults to `VERIFY_NONE` when kubeconfig doesn't specify custom CA - autoclosed

[cben]

this was assigned CVE-2022-0759

Dangerous bug present ever since Kubeclient::Config was created:

Whenever kubeconfig did not define custom CA (normal situation for production clusters with public domain and certificate!), Config was returning ssl_options[:verify_ssl] hard-coded to VERIFY_NONE :-(

Assuming you passed those ssl_options to Kubeclient::Client, this means that instead of checking server's certificate against your system CA store, it would accept ANY certificate, allowing easy man-in-the middle attacks.

This is especially dangerous with user/password or token credentials because MITM attacker could simply steal those credentials to the cluster and do anything you could do on the cluster.

Tightly related to #555, I'm fixing them together. This ticket is about the dangerous default, #555 is about inability to override it.

[cben]

This was broken IN ALL RELEASES MADE BEFORE 2022. I'm releasing a 4.9.3 with fix today.
Anyone who needs backports to other versions, let me know

[cben]

@lnacshonredhat (or anyone else who knows): can you help describe the impact when using client-certificate auth? My partial understanding:

• An attack on the app using kubeclient is still possible.

• Attacker can still fool kubeclient by returning made-up responses, it doesn't need 2nd connection to real cluster (because the client doens't verify the servers's identity).

  • This way attacker may get from kubeclient content of any resources kubeclient writes, e.g. if kubeclient is used to create/update secrets those will leak ☹️.

• However, the client cert's secret key is not sent, so attacker cannot steal the credentials for later use, only risks are during the active attack.

• The server does verify client's identity! 😅
  What degree of man-in-the-middle attack is possible?

  • Obviously attacker pass through the data byte-for-byte both ways (kubeclient⭤MITM⭤real cluster), but that's what any internet router does, so attacker can't decrypt.
  • Can attacker relay the inner HTTP protocol unmodified AND decrypt it? Or does decryption require changing the certs in a way that will make the cluster reject the TLS connection?
  • Can can attacker execute any action on the cluster different from kubeclient requested?
  • Can attacker switch from exact relaying to modifying anything mid-way?

[cben]

✔️ 4.9.3 released on rubygems.