CVE-2024-5042
📋 TL;DR
This vulnerability in Submariner allows a privileged attacker to deploy malicious containers on nodes, enabling theft of service account tokens. This could lead to lateral movement across the Kubernetes cluster. Organizations using vulnerable Submariner versions for multi-cluster networking are affected.
💻 Affected Systems
- Submariner
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster compromise allowing attacker to access all workloads, steal sensitive data, and potentially pivot to other connected clusters.
Likely Case
Attacker gains elevated privileges within the cluster, accesses sensitive workloads, and performs lateral movement to other nodes.
If Mitigated
Limited impact due to network segmentation, minimal service accounts, and proper RBAC controls restricting token access.
🎯 Exploit Status
Exploitation requires privileged access but is technically simple once that access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.16.3 and later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-5042
Restart Required: Yes
Instructions:
1. Update Submariner to version 0.16.3 or later. 2. Restart Submariner components. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Service Account Token Mounting
linuxPrevent pods from automatically mounting service account tokens unless explicitly required.
kubectl patch serviceaccount default -p '{"automountServiceAccountToken": false}'
Implement Network Policies
linuxRestrict network traffic between pods to limit lateral movement.
kubectl apply -f network-policy.yaml
🧯 If You Can't Patch
- Implement strict RBAC controls to limit who can deploy privileged containers
- Enable pod security policies or pod security admission to restrict privileged pod creation
🔍 How to Verify
Check if Vulnerable:
Check Submariner version: kubectl get pods -n submariner-operator -l app=submariner -o jsonpath='{.items[0].spec.containers[0].image}'Check Version:
kubectl get pods -n submariner-operator -l app=submariner -o jsonpath='{.items[0].spec.containers[0].image}' | grep -o 'submariner:[0-9.]*'Verify Fix Applied:
Confirm version is 0.16.3 or later and check that RBAC permissions have been reduced in Submariner components.📡 Detection & Monitoring
Log Indicators:
- Unauthorized pod creation with privileged security context
- Unexpected service account token access patterns
- Submariner component permission escalation attempts
Network Indicators:
- Unusual outbound connections from Submariner pods
- Traffic patterns indicating lateral movement between clusters
SIEM Query:
source="kubernetes" ("CreateContainer" OR "privileged") AND "submariner"🔗 References
- https://access.redhat.com/errata/RHSA-2024:4591
- https://access.redhat.com/security/cve/CVE-2024-5042
- https://bugzilla.redhat.com/show_bug.cgi?id=2280921
- https://github.com/advisories/GHSA-2rhx-qhxp-5jpw
- https://access.redhat.com/errata/RHSA-2024:4591
- https://access.redhat.com/security/cve/CVE-2024-5042
- https://bugzilla.redhat.com/show_bug.cgi?id=2280921
- https://github.com/advisories/GHSA-2rhx-qhxp-5jpw
