CVE-2019-11250 remains in effect.

Disclosed: 2020-11-29 21:23:11 By purelyapplied To kubernetes
Medium
Vulnerability Details
Report Submission Form ## Summary: "CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs" remains in effect. ## Kubernetes Version: Effects at least all versions since 1.4. - This was determined with some `git` archaeology. This was determined by following the code snippet from it's current location in `kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go` - The snippet was last meaningfully modified - It's current location in The snippet remains relatively unchanged since ## Component Version: I'm not sure. ## Steps To Reproduce: 1. Spin up a cluster with high verbosity: klog.V(9).Enabled() 1. Watch logs round_trippers.go `curl -k -v -X<> -H "Authorization: <token>" <...>` I was having trouble getting a cluster spun up, so I have not managed a live reproduction. ## Supporting Material/References: [Issue \#81146: Kubernetes 3rd Party Security Audit Findings] (https://github.com/kubernetes/kubernetes/issues/81146) [Issue \#81114: CVE-2019-11250: TOB-K8S-001: Bearer tokens are revealed in logs] (https://github.com/kubernetes/kubernetes/issues/81114) [Partial fix for \#81114: PR \#81330] (https://github.com/kubernetes/kubernetes/pull/81330). Note that only `debuggingRoundTripper.RoundTrip` only masks headers in the `if rt.levels[debugRequestHeaders]` block, exposure is also present in the `if rt.levels[debugCurlCommand] {klog.Infof("%s", reqInfo.toCurl())}` preceding it. At `kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go:416`: ```golang func (rt *debuggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { reqInfo := newRequestInfo(req) if rt.levels[debugJustURL] { klog.Infof("%s %s", reqInfo.RequestVerb, reqInfo.RequestURL) } if rt.levels[debugCurlCommand] { klog.Infof("%s", reqInfo.toCurl()) } if rt.levels[debugRequestHeaders] { klog.Infof("Request Headers:") for key, values := range reqInfo.RequestHeaders { for _, value := range values { value = maskValue(key, value) klog.Infof(" %s: %s", key, value) } } } // <function continues> } ``` At `kubernetes/staging/src/k8s.io/client-go/transport/round_trippers.go:338`: ```golang // toCurl returns a string that can be run as a command in a terminal (minus the body) func (r *requestInfo) toCurl() string { headers := "" for key, values := range r.RequestHeaders { for _, value := range values { headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value)) } } return fmt.Sprintf("curl -k -v -X%s %s '%s'", r.RequestVerb, headers, r.RequestURL) } ``` Correction will be a one-line diff to use `maskValue` in this loop as well. ## Impact > Alice logs into a Kubernetes cluster and is issued a Bearer token. The system logs her token. Eve, who has access to the logs but not the production Kubernetes cluster, replays Alice’s Bearer token, and can masquerade as Alice to the cluster.
Actions
View on HackerOne
Report Stats
  • Report ID: 952771
  • State: Closed
  • Substate: resolved
  • Upvotes: 1
Share this report