CVE-2023-36815
📋 TL;DR
CVE-2023-36815 is a privilege escalation vulnerability in Sealos Cloud Operating System's billing system that allows authenticated users to manipulate payment resources and recharge arbitrary amounts of 1 RMB. This affects Sealos version 4.2.0 and earlier deployments where users have access to the billing functionality. The vulnerability exposes payment resource information and could enable unauthorized financial transactions.
💻 Affected Systems
- Sealos Cloud Operating System
📦 What is this software?
Sealos by Sealos
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could manipulate payment systems to create unauthorized financial transactions, potentially causing financial loss, resource exhaustion, or disruption of billing operations.
Likely Case
Users with access to the billing system could manipulate their own or potentially other users' payment resources, leading to incorrect billing records and minor financial discrepancies.
If Mitigated
With proper RBAC controls and namespace isolation, impact would be limited to users' own namespaces with minimal financial exposure.
🎯 Exploit Status
Exploitation requires authenticated access to the Sealos billing interface; the advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.2.1 or later
Vendor Advisory: https://github.com/labring/sealos/security/advisories/GHSA-vpxf-q44g-w34w
Restart Required: Yes
Instructions:
1. Update Sealos to version 4.2.1 or later. 2. Apply the updated RBAC policies. 3. Restart Sealos components. 4. Verify billing system permissions are properly restricted.
🔧 Temporary Workarounds
Disable billing system
linuxTemporarily disable the Sealos billing system to prevent exploitation
kubectl scale deployment sealos-billing --replicas=0
Restrict RBAC permissions
linuxRemove user permissions to modify sealos.io/v1/Payment resources
kubectl edit clusterrolebinding <binding-name>
Remove rules for sealos.io/v1/Payment
🧯 If You Can't Patch
- Implement strict network segmentation to isolate billing system from regular users
- Enable detailed audit logging for all Payment resource modifications and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Sealos version: kubectl get deployment sealos -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o ':[0-9.]*'Check Version:
kubectl get deployment sealos -o jsonpath='{.spec.template.spec.containers[0].image}'Verify Fix Applied:
Verify version is 4.2.1 or later and test that users cannot modify Payment resources outside their authorized scope📡 Detection & Monitoring
Log Indicators:
- Unauthorized modifications to sealos.io/v1/Payment resources
- Multiple 1 RMB recharge attempts from single user
- Payment resource modifications outside user namespace
Network Indicators:
- Unusual API calls to billing endpoints
- Multiple POST/PUT requests to /apis/sealos.io/v1/namespaces/*/payments
SIEM Query:
source="kubernetes" AND (resource.type="sealos.io/v1/Payment" AND verb IN ("create","update","patch"))