Nuclio Controller Vulnerability Leads to Persistent Kubernetes RCE (GHSA-v5px-423j-pf7p)
The Nuclio controller improperly sanitizes user-controlled input (cron trigger event headers and body) before injecting it into `curl` commands executed by Kubernetes CronJobs, allowing remote attackers to perform command injection and achieve remote code execution (RCE) by breaking quoting contexts in header keys or utilizing shell command substitution in event bodies, leading to arbitrary command execution with root privileges and potential persistence within the Kubernetes cluster.
A critical vulnerability (GHSA-v5px-423j-pf7p, CWE-78) has been identified in the Nuclio controller, affecting all versions up to and including 1.15.27. This flaw stems from inadequate sanitization of user-provided input, specifically event.headers keys and event.body content within cron trigger specifications for NuclioFunctions. When the controller generates a Kubernetes CronJob, it constructs a curl invocation string that incorporates these unsanitized values directly into a shell command executed by /bin/sh -c. Attackers can exploit this by injecting shell metacharacters - either by breaking the double-quote context in headerKey or by using command substitution in event.body - to execute arbitrary commands within the CronJob's container. These CronJobs typically run with root privileges and, notably, lack Kubernetes ownerReferences, allowing them to persist indefinitely even if the original NuclioFunction is deleted, posing a significant risk for persistent remote code execution within the cluster.
Attack Chain
- An attacker, with permissions to create or modify NuclioFunctions in the Kubernetes cluster, crafts a malicious NuclioFunction definition.
- The attacker includes a
crontrigger with a specially craftedevent.headerskey (e.g.,X-Inject"; ARBITRARY_COMMAND; echo ") or a maliciousevent.body(e.g.,$(ARBITRARY_COMMAND)) within the function's specification. - The Nuclio controller reconciles the malicious NuclioFunction, invoking
generateCronTriggerCronJobSpecto construct the internalcurlcommand string. - During command construction, the unsanitized
headerKeyoreventBodyis injected directly into the shell command argument passed to/bin/sh -c. ForheaderKey, double quotes are improperly handled, allowing direct shell command injection; foreventBody,strconv.Quotefails to escape$(...), enabling command substitution. - The controller creates a Kubernetes CronJob resource with its container
argsexplicitly configured as/bin/sh -c <malicious_curlCommand>, wheremalicious_curlCommandnow contains the injected arbitrary commands. - The Kubernetes scheduler activates the CronJob, causing the CronJob pod to execute the
sh -ccommand, leading to the execution of arbitrary commands (e.g.,id,cat /var/run/secrets/...) within the pod. These pods often run with root privileges. - The created CronJob lacks Kubernetes
ownerReferences, allowing it to persist and continue executing its schedule indefinitely, even if the original NuclioFunction or its Deployment is subsequently removed. - The attacker leverages this RCE to exfiltrate sensitive data (such as Kubernetes service account tokens), establish a persistent foothold, or further compromise the Kubernetes cluster.
Impact
Successful exploitation of this vulnerability grants remote attackers persistent remote code execution within the target Kubernetes cluster, typically with root privileges. This allows for arbitrary command execution, sensitive data exfiltration (e.g., Kubernetes service account tokens), and potential for broader compromise of cluster resources. The lack of ownerReferences on the created CronJobs means that even if a compromised NuclioFunction is deleted, the malicious CronJob can continue to run indefinitely, ensuring persistence for the attacker. The vulnerability carries a CVSS 3.1 score of 9.9 (Critical), indicating severe consequences for confidentiality, integrity, and availability of the affected system.
Recommendation
- Patch CVE-XXXX-YYYY immediately: Upgrade Nuclio to a patched version once available. Monitor official Nuclio channels for security updates addressing GHSA-v5px-423j-pf7p.
- Deploy the Sigma rules in this brief: Implement the
Detect Nuclio CronJob RCE via Header Key InjectionandDetect Nuclio CronJob RCE via Body Command Substitutionrules to identify attempts at exploiting this vulnerability at the Kubernetes API server audit log level. - Review Kubernetes audit logs: Actively monitor for suspicious
create,update, orpatchevents onbatch/v1/cronjobsresources, especially those originating from the Nuclio controller, forargsfields containing the patterns identified in the IOCs. - Restrict NuclioFunction deployment permissions: Limit permissions to create or modify
NuclioFunctionresources to trusted administrators, reducing the attack surface for this vulnerability.
Detection coverage 2
Detect Nuclio CronJob RCE via Header Key Injection (GHSA-v5px-423j-pf7p)
criticalDetects creation or modification of Kubernetes CronJobs by Nuclio where the container arguments indicate command injection via unsanitized `event.headers` keys, as described in GHSA-v5px-423j-pf7p. This is characterized by a double-quote break followed by shell commands.
Detect Nuclio CronJob RCE via Body Command Substitution (GHSA-v5px-423j-pf7p)
criticalDetects creation or modification of Kubernetes CronJobs by Nuclio where the container arguments indicate command injection via unsanitized `event.body` using shell command substitution, as described in GHSA-v5px-423j-pf7p.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
attack_string
| Type | Value |
|---|---|
| attack_string | X-Inject"; echo "===RCE_CONFIRMED==="; id; cat /var/run/secrets/kubernetes.io/serviceaccount/token | head -c 50; echo " |
| attack_string | $(id 1>&2; echo BODY_INJECTION_PROOF) |