Trending CVEs for the Week of April 1st, 2019

CVE-2019-1002101 – Kubernetes Directory Traversal


Back in February, we talked about a malicious container ‘break out’ vulnerability in runc (CVE-2019-5736), a universal command-line interface tool developed by Docker and used by Docker, Kubernetes and other containerization systems to spawn and run containers. That remains, to date, the most talked about vulnerability of 2019. For a quick summary of the top ten vulnerabilities so far, see our next post on 2019 Q1 Social Media Trends.

As a quick reminder, Docker and Kubernetes are widely cited as two of the most influential and widely adopted open-source projects of the last few years. Containerization is an approach of running applications on an operating system so that the application is isolated from the rest of the system. Docker is what enables running, creating and managing containers on a single operating system. Once Docker is installed on many hosts (multiple operating systems), Kubernetes can then allow automated container provisioning, networking, load-balancing, security and scaling across all these nodes from a single command line or dashboard. Kubernetes has become somewhat of the de facto standard for container orchestration.

This week, a new Kubernetes-related vulnerability is trending – CVE-2019-1002101 – an input validation/arbitrary file overwrite vulnerability. Successful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. NVD description gives more insight into how exactly this could happen:

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links.

The vulnerability was discovered and reported by Ariel Zelivansky, a security researcher at Twistlock, who explained that it was linked to a patch to another vulnerability from last year – CVE-2018-1002100.

Affected Products

Versions prior to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 are vulnerable.

Exploitation and Risk

This vulnerability is not as severe as some other CVEs that we’ve covered lately, since exploiting it requires a rogue container to be used inside the cluster.  Per the original report by Zelivansky, the vulnerability can be dangerous in one of two scenarios:

  1. A user unknowingly downloads a malicious container image with a bad tar. The attacker can push such an image to any registry (e.g. Docker Hub) for a popular image he has control of or rely on typosquatting.
  2. An attacker compromises a running container by exploiting another vulnerability or in some cases he may have legitimate access to a container. The attacker then plants a malicious tar replacing the original tar of the image.

Targeted exploitation of this vulnerability could  lead to exfiltration of potentially highly sensitive information. If kubectl is run as root, achieving remote code execution becomes trivial through the modification of one of many configuration or system files. However,  kubectl is more commonly run as a user, which makes it harder for an attacker to deterministically get code execution. Zelivasky also presented a proof of concept exploit.


Updates are available. Users should make sure they are running Kubernetes version  1.11.9, 1.12.7, 1.13.5, and 1.14.0 or newer.


Kubernetes Disclosure and Upgrades

Disclosure, Impact, and PoC by Zelivansky



Share your thoughts in our community!

Click Here