CVE-2021-44458
📋 TL;DR
CVE-2021-44458 is a critical authentication bypass vulnerability in Lens Kubernetes IDE that allows malicious websites to make unauthorized websocket connections to Lens running on a user's machine. This enables attackers to execute arbitrary commands on the victim's system through Lens's local terminal feature. All Linux users running Lens 5.2.6 and earlier are affected.
💻 Affected Systems
- Mirantis Lens (Kubernetes IDE)
📦 What is this software?
Lens by Mirantis
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the victim's machine, ability to execute arbitrary commands, access sensitive data, and potentially pivot to other systems.
Likely Case
Local command execution leading to data theft, cryptocurrency mining, ransomware deployment, or lateral movement within the network.
If Mitigated
No impact if Lens is not running or proper network segmentation prevents malicious website connections.
🎯 Exploit Status
Exploitation is straightforward - malicious website can trigger websocket connections without authentication. Proof of concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.7 and later
Vendor Advisory: https://github.com/Mirantis/security/blob/main/advisories/0001.md
Restart Required: Yes
Instructions:
1. Download Lens 5.2.7 or later from official sources. 2. Uninstall previous version. 3. Install new version. 4. Restart system to ensure clean state.
🔧 Temporary Workarounds
Disable Lens WebSocket Service
linuxPrevent Lens from accepting WebSocket connections by disabling or blocking the service port.
sudo systemctl stop lens
sudo systemctl disable lens
sudo firewall-cmd --permanent --remove-port=8080/tcp
sudo firewall-cmd --reload
Network Isolation
linuxBlock Lens's WebSocket port at the firewall level to prevent external connections.
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
sudo iptables-save > /etc/iptables/rules.v4
🧯 If You Can't Patch
- Stop using Lens entirely until patched version can be installed.
- Use browser extensions to block WebSocket connections from untrusted websites and ensure Lens is not running during web browsing.
🔍 How to Verify
Check if Vulnerable:
Check Lens version: lens --version or check application About section. If version is 5.2.6 or earlier, system is vulnerable.Check Version:
lens --versionVerify Fix Applied:
After updating, verify version is 5.2.7 or later using lens --version command.📡 Detection & Monitoring
Log Indicators:
- Unexpected WebSocket connections to Lens port (typically 8080)
- Unusual command execution in Lens terminal logs
- Failed authentication attempts to Lens WebSocket service
Network Indicators:
- WebSocket traffic from external IPs to Lens port
- Malicious website domains making connections to localhost:8080
SIEM Query:
source="lens.log" AND ("websocket" OR "unauthorized" OR "malicious") OR dest_port=8080 AND src_ip!=127.0.0.1