Impact of RBAC Buster attack on Red Hat OpenShift

Summary

• Aqua Security research shows how the RBAC Buster campaign uses RBAC to gain persistence on the OpenShift cluster.
• Initial access is gained through misconfiguration of the cluster, which renders RBAC completely ineffective, and anonymous user effectively has admin level privilege. There is no good reason for production clusters to run in this configuration.
• There is no vulnerability in the Kubernetes or OpenShift codebase itself.
• Red Hat Security Architects audited the OpenShift default configuration for similar issues and confirmed that it is not vulnerable.

Discussion

RBAC Buster is an attack campaign identified by Michael Katchinskiy and Assaf Morag from the company Aqua Security and is explained in a blog article that was published on the 21st of April, 2023.

The article states that initial access is gained as the Kubernetes cluster is misconfigured and allows admin level access to the API server by unauthenticated users. Any user who can connect to the API servers of these clusters would have admin level privileges and complete control of these clusters, despite the lack of credentials.

By default, user system:anonymous and user group system:unauthenticated are used for requests made to the API server without any credentials. However, on almost all Kubernetes distros, including OpenShift, these users are only granted a minimal set of RBAC privileges. By default, they do not have permissions to read Secrets or create Pods. In the article, the anonymous user already has permission to create ClusterRoles and ClusterRoleBindings, meaning that they can create roles with any privilege level, including cluster-admin.

These permissions are not set by default. In general, there is no good reason for users and customers to set these permissions. One reason we can think of is if a customer is trying to facilitate access to the cluster to providers or external users without taking security into account.

The attack exploits a misconfiguration issue, not any vulnerability or CVE, as anonymous or unauthenticated users have already been configured with admin level permissions in the vulnerable clusters. Once the attacker gains admin access through this misconfiguration, they can create malicious resources with misleading names that may look legitimate to regular users, for example, a “kube-controller” service account. This demonstrates a technique to create persistence access and control that may go unnoticed.

OpenShift Container Platform (OCP) impact

OpenShift Container Platform (OCP) is not impacted in its default installation by RBAC Buster, because RBAC permissions to anonymous users connecting to the API service are very low and cannot create any cluster resources.

OSD/ROSA impact

OSD/ROSA is not impacted in its default installation by RBAC Buster because it inherits the secure defaults of the OpenShift Container Platform (OCP), and it does not widen the permissions of anonymous users connecting to the API Server in its default installation.