GENERAL INFORMATION
Executive Summary:
A MITM vulnerability was discovered in Conjur Kubernetes authenticator flow which may potentially allow an intranet attacker to gain access to secrets which the Kubernetes POD is authorized to retrieve.
This vulnerability affects all integrations using Conjur Kubernetes authenticator (aka: OpenShift and all Kubernetes supported platforms).
Detailed Explanation:
This vulnerability may potentially allow a man-in-the-middle (MITM) type attack on one of the communication sessions between Conjur and Kubernetes API server during Kubernetes authentication process. This may lead to a disclosure of the Conjur Kubernetes authenticator instance service account token, and allow the attacker to bypass the Kubernetes authentication and to retrieve secrets which the Kubernetes POD is authorized to access.
Recommendations:
CyberArk highly recommends that all customers who are using Kubernetes authenticator upgrade to Conjur 1.11.2.
CyberArk recommends that other customers also upgrade to Conjur 1.11.2 in case of future use of the Kubernetes/OpenShift integration.
In addition, CyberArk recommends that customers who are using Kubernetes in any of the Conjur affected versions rotate their Kubernetes Service Account Token after or as part of the upgrade process.
Upgrade Instructions
See the Docker Compose Upgrade Instructions or the Helm Chart Upgrade Instructions to upgrade your Conjur installation.
Frequently Asked Questions
I am using a Conjur version prior to 1.11.2 with Kubernetes/OpenShift integration, am I affected?
Yes. CyberArk highly recommends that all customers who are using the Conjur Kubernetes/OpenShift integration upgrade to Conjur version 1.11.2
I am not using the Kubernetes/OpenShift integration, am I affected?
No. This vulnerability only affects customers who are using the Conjur Kubernetes/OpenShift integration. However, CyberArk recommends that all customers upgrade to Conjur version 1.11.2 prior to using the Kubernetes/OpenShift integration.
Can any user exploit this vulnerability in Conjur versions prior to v1.11.2?
No. In order to exploit this vulnerability, the user must have intranet access with root access on either a machine or a network device on the Conjur network segment.
Can a user who exploits this vulnerability gain access to all secrets stored in Conjur?
No. The user can only retrieve secrets that the exploited Kubernetes pod is authorized to access.
Can this vulnerability be exploited remotely?
No, the user must have intranet access to be able to exploit this vulnerability.
Is there a public exploit for this vulnerability?
This vulnerability was discovered internally by CyberArk. CyberArk has not received any information that indicates that this vulnerability has been publicly exploited.
For more information
If you have any questions or comments about this advisory, please email us at security@conjur.org.
GENERAL INFORMATION
Executive Summary:
A MITM vulnerability was discovered in Conjur Kubernetes authenticator flow which may potentially allow an intranet attacker to gain access to secrets which the Kubernetes POD is authorized to retrieve.
This vulnerability affects all integrations using Conjur Kubernetes authenticator (aka: OpenShift and all Kubernetes supported platforms).
Detailed Explanation:
This vulnerability may potentially allow a man-in-the-middle (MITM) type attack on one of the communication sessions between Conjur and Kubernetes API server during Kubernetes authentication process. This may lead to a disclosure of the Conjur Kubernetes authenticator instance service account token, and allow the attacker to bypass the Kubernetes authentication and to retrieve secrets which the Kubernetes POD is authorized to access.
Recommendations:
CyberArk highly recommends that all customers who are using Kubernetes authenticator upgrade to Conjur 1.11.2.
CyberArk recommends that other customers also upgrade to Conjur 1.11.2 in case of future use of the Kubernetes/OpenShift integration.
In addition, CyberArk recommends that customers who are using Kubernetes in any of the Conjur affected versions rotate their Kubernetes Service Account Token after or as part of the upgrade process.
Upgrade Instructions
See the Docker Compose Upgrade Instructions or the Helm Chart Upgrade Instructions to upgrade your Conjur installation.
Frequently Asked Questions
I am using a Conjur version prior to 1.11.2 with Kubernetes/OpenShift integration, am I affected?
Yes. CyberArk highly recommends that all customers who are using the Conjur Kubernetes/OpenShift integration upgrade to Conjur version 1.11.2
I am not using the Kubernetes/OpenShift integration, am I affected?
No. This vulnerability only affects customers who are using the Conjur Kubernetes/OpenShift integration. However, CyberArk recommends that all customers upgrade to Conjur version 1.11.2 prior to using the Kubernetes/OpenShift integration.
Can any user exploit this vulnerability in Conjur versions prior to v1.11.2?
No. In order to exploit this vulnerability, the user must have intranet access with root access on either a machine or a network device on the Conjur network segment.
Can a user who exploits this vulnerability gain access to all secrets stored in Conjur?
No. The user can only retrieve secrets that the exploited Kubernetes pod is authorized to access.
Can this vulnerability be exploited remotely?
No, the user must have intranet access to be able to exploit this vulnerability.
Is there a public exploit for this vulnerability?
This vulnerability was discovered internally by CyberArk. CyberArk has not received any information that indicates that this vulnerability has been publicly exploited.
For more information
If you have any questions or comments about this advisory, please email us at security@conjur.org.