Critical Kubernetes gitRepo Volume Vulnerability: CVE-2024-10220

By Moshe Hassan

Nov 22, 2024

A critical security vulnerability identified as CVE-2024-10220 has been discovered in Kubernetes’ deprecated gitRepo volume type. This vulnerability allows attackers with permissions to create pods using gitRepo volumes to execute arbitrary commands on the host node with root privileges, potentially leading to full system compromise.

The gitRepo volume type was designed to clone Git repositories into pods for operational convenience. However, this functionality is inherently unsafe due to improper handling of repository content, including malicious Git submodules and hooks.

CVE-2024-10220 Details

The vulnerability stems from the gitRepo volume type, which executes git clone commands without sanitizing or validating the contents of the target repository. Specifically:

  1. Malicious Git Hooks: Attackers can craft repositories with dangerous hooks that are triggered during cloning.
  2. Execution Context: These hooks execute in the host environment, not within the pod, allowing access to host resources and privileges.
  3. Improper Input Validation: The absence of proper input validation or sandboxing magnifies the risk, enabling exploitation by users with minimal Kubernetes permissions.

Although gitRepo has been deprecated in Kubernetes, it remains active in older versions or configurations where it is explicitly enabled. This makes systems still using this volume type highly vulnerable.

CVE-2024-10220 Impact

The consequences of exploiting this vulnerability include:

  • Unauthorized Access: Attackers gain unauthorized access to the Kubernetes host node.
  • System Compromise: Full control over the host system, enabling further attacks or disruption.
  • Data Breach: Sensitive cluster data, including credentials, may be exposed or stolen.

Recommended Actions

  1. Disable gitRepo Volumes: Immediately disable the gitRepo volume type in your Kubernetes cluster.
  2. Upgrade Kubernetes:  Update to one of the fixed versions:
    • kubelet v1.31.0
    • kubelet v1.30.3
    • kubelet v1.29.7
    • kubelet v1.28.12
  3. Alternative Approach: Since the gitRepo volume has been deprecated, it is recommended to perform Git clone operations when initializing the container and then mount the directory into the Pod’s container.
  4. Enforce RBAC: Limit pod creation privileges to trusted users and enforce strict Role-Based Access Control (RBAC).

How Upwind Helps Protect You From the gitRepo Vulnerability

Upwind’s Cloud Security Platform provides powerful tools to address and mitigate the risks associated with CVE-2024-10220:

  • Cluster Visibility: Identify which clusters are running Kubernetes versions that still support the gitRepo volume type.
  • Vulnerability Management: Use Upwind’s SBOM Explorer to detect and track usage of deprecated or unsafe volume types across your environment.
  • Risk Prioritization: Understand the impact of this vulnerability in high-risk environments and prioritize upgrades or mitigations.
  • Continuous Monitoring: Upwind provides real-time detection of configuration issues and alerts for potential exploits involving gitRepo volumes.

For more information on how Upwind helps identify critical vulnerabilities like gitRepo, contact us.

Critical Kubernetes gitRepo Volume Vulnerability: CVE-2024-10220

Further Reading

Research

Ransomware’s Reach: Data Risks, IP Theft, and Encryption Takeover in the Cloud

By Avital Harel

Nov 14, 2024

In our previous article on Cloud Heists, we highlighted how attackers exploit credential theft and privilege escalation to take over cloud environments. However, ransomware poses an even broader threat, targeting cloud platforms to steal sensitive data, disrupt business operations, and hold companies hostage. In this post, we’ll explore these growing ransomware trends and offer insights […]

Research

Critical RCE Vulnerability in jsonpath-plus (CVE-2024-21534)

By Moshe Hassan

Oct 17, 2024

A critical Remote Code Execution (RCE) vulnerability identified as CVE-2024-21534 has been discovered in versions of the jsonpath-plus package before 10.0.0. This vulnerability allows attackers to execute arbitrary code on affected systems by exploiting improper input sanitization and the unsafe default usage of the vm module in Node.js. jsonpath-plus is a JavaScript implementation of JSONPath […]

Research

Analyzing the Latest CUPS RCE Vulnerability: Threats and Mitigations

By Eliad Mualem & Leahy Shelly

Sep 27, 2024

Remote Code Execution (RCE) in CUPS via ‘cups-browsed’ CUPS (Common Unix Printing System) is a popular printing system for Unix-like systems, with cups-browsed responsible for printer discovery and network browsing. A recent vulnerability in cups-browsed allows Remote Code Execution (RCE) through manipulated printer discovery responses. This vulnerability is caused by insufficient input validation on UDP […]

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo
Glossary

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2024, Upwind Security