CVE-2024-36535
📋 TL;DR
Meshery v0.7.51 has insecure permissions that allow attackers to access the service account's token. This enables privilege escalation and access to sensitive data. Organizations running vulnerable Meshery deployments are affected.
💻 Affected Systems
- Meshery
📦 What is this software?
Meshery by Layer5
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise: attackers gain administrative access to the Kubernetes cluster, exfiltrate all data, deploy malicious workloads, and pivot to other systems.
Likely Case
Service account token theft leading to unauthorized access to meshery-managed resources, configuration tampering, and potential lateral movement within the cluster.
If Mitigated
Limited impact with proper network segmentation, RBAC restrictions, and monitoring; attackers may obtain tokens but have limited access scope.
🎯 Exploit Status
Exploitation requires initial access to the cluster or meshery deployment; token access is straightforward once permissions are identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.7.52 or later
Vendor Advisory: https://meshery.io/security
Restart Required: Yes
Instructions:
1. Update Meshery to v0.7.52 or later using your deployment method (helm, kubectl, etc.). 2. Restart all meshery pods. 3. Verify service account token permissions are restricted.
🔧 Temporary Workarounds
Restrict Service Account Token Access
linuxManually adjust Kubernetes RBAC to limit access to the meshery service account token.
kubectl edit clusterrolebinding meshery
kubectl edit rolebinding meshery -n <namespace>
Network Isolation
allApply network policies to restrict access to meshery pods and service account endpoints.
kubectl apply -f network-policy.yaml
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to block unauthorized access to meshery service endpoints.
- Apply least-privilege Kubernetes RBAC policies and regularly rotate service account tokens.
🔍 How to Verify
Check if Vulnerable:
Check meshery version: kubectl get deployment meshery -o jsonpath='{.spec.template.spec.containers[0].image}'. If version is v0.7.51, it's vulnerable.Check Version:
kubectl get deployment meshery -o jsonpath='{.spec.template.spec.containers[0].image}'Verify Fix Applied:
Confirm version is v0.7.52 or later and verify service account token permissions are not world-readable: kubectl get secret -l app=meshery -o yaml | grep -A5 -B5 "token".📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to service account token endpoints in meshery logs
- Unexpected service account token usage in Kubernetes audit logs
Network Indicators:
- Unusual outbound connections from meshery pods to external IPs
- Traffic patterns indicating token exfiltration
SIEM Query:
source="kubernetes" AND ("meshery" OR "serviceaccount") AND ("token" OR "unauthorized")