CVE-2024-36539
📋 TL;DR
This vulnerability in Contour v1.28.3 allows attackers to access Kubernetes service account tokens due to insecure permissions. Attackers can use these tokens to escalate privileges and access sensitive data within the cluster. Anyone running the vulnerable version of Contour is affected.
💻 Affected Systems
- Contour
📦 What is this software?
Contour by Projectcontour
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise where attackers gain administrative access to the Kubernetes cluster, allowing them to deploy malicious pods, exfiltrate sensitive data, or disrupt services.
Likely Case
Attackers gain access to service account tokens and use them to escalate privileges within the namespace or cluster, potentially accessing secrets and other sensitive resources.
If Mitigated
With proper network segmentation and RBAC controls, impact is limited to the specific namespace where Contour runs, though service account tokens could still be exposed.
🎯 Exploit Status
Exploitation requires access to the Kubernetes cluster where Contour is running. The GitHub gist provides technical details about the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.28.4 or later
Vendor Advisory: https://github.com/projectcontour/contour/releases
Restart Required: Yes
Instructions:
1. Backup your Contour configuration. 2. Update Contour to v1.28.4 or later using your preferred deployment method (Helm, kubectl, etc.). 3. Verify the new version is running correctly. 4. Monitor for any issues after the update.
🔧 Temporary Workarounds
Restrict Service Account Permissions
linuxApply restrictive RBAC policies to limit the service account's capabilities
kubectl apply -f restrictive-rbac.yaml
Disable Automount Service Account Token
linuxPrevent automatic mounting of service account tokens in pods
kubectl patch deployment contour -p '{"spec":{"template":{"spec":{"automountServiceAccountToken":false}}}}'
🧯 If You Can't Patch
- Implement network policies to restrict Contour pod communication to only necessary services
- Regularly rotate service account tokens and monitor for unauthorized usage
🔍 How to Verify
Check if Vulnerable:
Check Contour version: kubectl get deployment contour -o jsonpath='{.spec.template.spec.containers[0].image}'Check Version:
kubectl get deployment contour -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o 'v[0-9.]*'Verify Fix Applied:
Verify Contour version is v1.28.4 or later and check that service account token permissions are properly restricted📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to service account tokens
- Unusual API calls from Contour service account
- Failed RBAC authorization attempts
Network Indicators:
- Unexpected outbound connections from Contour pods
- Traffic to Kubernetes API server from unexpected sources
SIEM Query:
source="kubernetes" AND ("serviceaccount" OR "token") AND ("unauthorized" OR "forbidden")