Login Sign Up

CVE-2018-1002105

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in Kubernetes allows attackers to bypass authentication and authorization controls by exploiting improper error handling in the kube-apiserver's proxy functionality. Attackers can establish connections to backend servers through the API server and send arbitrary requests authenticated with the API server's TLS credentials. All Kubernetes clusters running affected versions are vulnerable.

💻 Affected Systems

Products:
  • Kubernetes
Versions: All versions prior to v1.10.11, v1.11.5, and v1.12.3
Operating Systems: All platforms running Kubernetes
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Kubernetes deployments are vulnerable. The vulnerability exists in the core kube-apiserver component.

📦 What is this software?

Kubernetes by Kubernetes

View all CVEs affecting Kubernetes →

Kubernetes by Kubernetes

View all CVEs affecting Kubernetes →

Kubernetes by Kubernetes

View all CVEs affecting Kubernetes →

Kubernetes by Kubernetes

View all CVEs affecting Kubernetes →

Kubernetes by Kubernetes

View all CVEs affecting Kubernetes →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Trident by Netapp

View all CVEs affecting Trident →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full cluster compromise allowing attackers to execute arbitrary commands, access sensitive data, deploy malicious workloads, and pivot to other systems using the API server's elevated privileges.

🟠

Likely Case

Unauthorized access to backend services, data exfiltration, privilege escalation within the cluster, and potential lateral movement to other components.

🟢

If Mitigated

Limited impact if network policies restrict API server access, RBAC is properly configured, and audit logging is enabled to detect suspicious proxy requests.

🌐 Internet-Facing: HIGH - Internet-facing Kubernetes API servers are directly exploitable without authentication.
🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this to escalate privileges and compromise the entire cluster.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the Kubernetes API server but no authentication. Multiple public proof-of-concept exploits exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.10.11, v1.11.5, v1.12.3 or later

Vendor Advisory: https://github.com/kubernetes/kubernetes/issues/71411

Restart Required: Yes

Instructions:

1. Backup your cluster configuration. 2. Upgrade kube-apiserver to patched version. 3. Restart kube-apiserver. 4. Verify other components are compatible with new API server version. 5. Test cluster functionality after upgrade.

🔧 Temporary Workarounds

Network Policy Restriction

all

Restrict network access to kube-apiserver using firewall rules or network policies to limit exposure.

kubectl apply -f network-policy.yaml

API Server Authentication Hardening

linux

Implement additional authentication layers and rate limiting for API server requests.

Configure --client-ca-file, --requestheader-client-ca-file flags

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Kubernetes API server from untrusted networks
  • Enable and monitor audit logging for all API server requests, particularly focusing on proxy/upgrade requests

🔍 How to Verify

Check if Vulnerable:

Check Kubernetes version: kubectl version --short | grep Server. If version is below v1.10.11, v1.11.5, or v1.12.3, you are vulnerable.

Check Version:

kubectl version --short | grep Server

Verify Fix Applied:

After upgrade, verify version is at least v1.10.11, v1.11.5, or v1.12.3 using kubectl version --short. Test proxy functionality to ensure it works correctly.

📡 Detection & Monitoring

Log Indicators:

  • Unusual proxy requests in kube-apiserver logs
  • Unexpected upgrade requests with error responses
  • Requests to backend services from API server IP with unusual patterns

Network Indicators:

  • Abnormal traffic patterns between API server and backend services
  • Unexpected connections established through API server proxy

SIEM Query:

source="kube-apiserver" AND ("proxy" OR "upgrade") AND error

📊 Metadata

CVE ID: CVE-2018-1002105
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-388
Published: December 5, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-1002105, you might also want to check these:

CVE-2014-9985 9.8

This CVE describes a Time-of-Check Time-of-Use (TOCTOU) vulnerability in Qualcomm Snapdragon chipset...

Same vulnerability type (CWE-388)
CVE-2015-9120 9.8

This vulnerability in Qualcomm Snapdragon chipsets allows attackers to exploit an error condition de...

Same vulnerability type (CWE-388)
CVE-2016-10466 9.8

This vulnerability affects Android devices with Qualcomm Snapdragon chipsets where SSL/TLS handshake...

Same vulnerability type (CWE-388)