CVE-2024-9779
📋 TL;DR
This vulnerability in Open Cluster Management allows attackers with access to worker nodes to steal service account tokens and gain full cluster control. It affects OCM deployments where cluster-manager or klusterlet pods run on compromised nodes. Attackers can escalate privileges to control the entire Kubernetes cluster.
💻 Affected Systems
- Open Cluster Management (OCM)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster compromise allowing attackers to deploy malicious workloads, exfiltrate sensitive data, disrupt operations, and maintain persistent access.
Likely Case
Privilege escalation leading to unauthorized access to cluster resources, potential data theft, and lateral movement within the environment.
If Mitigated
Limited impact if proper node security controls, network segmentation, and least-privilege service accounts are implemented.
🎯 Exploit Status
Exploitation requires node access and knowledge of Kubernetes service account token mounting. The technique is well-documented in Kubernetes security contexts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.13.0
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-9779
Restart Required: Yes
Instructions:
1. Upgrade Open Cluster Management to version 0.13.0 or later. 2. Update cluster-manager and klusterlet deployments. 3. Verify service account permissions are properly restricted. 4. Restart affected pods.
🔧 Temporary Workarounds
Restrict Node Access
allImplement strict access controls to worker nodes and ensure only authorized personnel can access them.
Limit Service Account Permissions
linuxReview and reduce permissions of the cluster-manager service account to minimum required.
kubectl get clusterrole cluster-manager -o yaml
kubectl edit clusterrole cluster-manager
🧯 If You Can't Patch
- Implement strict network segmentation to isolate worker nodes from untrusted networks
- Apply Kubernetes Pod Security Standards to restrict pod capabilities and service account token mounting
🔍 How to Verify
Check if Vulnerable:
Check OCM version: kubectl get deployment -n open-cluster-management cluster-manager -o jsonpath='{.spec.template.spec.containers[0].image}'. If version is below 0.13.0, you are vulnerable.Check Version:
kubectl get deployment -n open-cluster-management cluster-manager -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o ':[0-9.]*'Verify Fix Applied:
Verify OCM version is 0.13.0 or higher and check cluster-manager service account permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unauthorized pod creation events
- Service account token access from unexpected nodes
- ClusterRoleBinding modifications
Network Indicators:
- Unexpected API server requests from worker nodes
- Lateral movement patterns within the cluster
SIEM Query:
source="kubernetes-audit" AND verb="create" AND resource="pods" AND user.username="system:serviceaccount:open-cluster-management:cluster-manager"🔗 References
- https://access.redhat.com/security/cve/CVE-2024-9779
- https://bugzilla.redhat.com/show_bug.cgi?id=2317916
- https://github.com/open-cluster-management-io/ocm/pull/325
- https://github.com/open-cluster-management-io/ocm/releases/tag/v0.13.0
- https://github.com/open-cluster-management-io/registration-operator/issues/361
