{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/policy-engine/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Kyverno"],"_cs_severities":["medium"],"_cs_tags":["kyverno","denial-of-service","kubernetes","policy-engine"],"_cs_type":"advisory","_cs_vendors":["Kyverno"],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in the \u003ccode\u003eforEach\u003c/code\u003e mutation handler of Kyverno, a Kubernetes policy engine. Specifically, Kyverno versions v1.13.0 through v1.17.1 are susceptible to a flaw where an unchecked type assertion within the \u003ccode\u003eForEach\u003c/code\u003e function in \u003ccode\u003epkg/engine/mutate/mutation.go\u003c/code\u003e can be triggered by a specially crafted \u003ccode\u003ePolicy\u003c/code\u003e or \u003ccode\u003eClusterPolicy\u003c/code\u003e. Any user with the ability to create these policy types can exploit this vulnerability. When a \u003ccode\u003epatchesJson6902\u003c/code\u003e field contains a variable substitution (e.g., \u003ccode\u003e{{ element.nonexistent }}\u003c/code\u003e) that resolves to \u003ccode\u003enil\u003c/code\u003e at runtime, the type assertion \u003ccode\u003e.(string)\u003c/code\u003e on a nil \u003ccode\u003einterface{}\u003c/code\u003e triggers an unrecoverable Go panic. This results in the background controller entering a persistent CrashLoopBackOff state, effectively halting background processing. The admission controller will also drop connections and block matching resource operations. CEL-based policies are unaffected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003ePolicy\u003c/code\u003e or \u003ccode\u003eClusterPolicy\u003c/code\u003e YAML manifest containing a \u003ccode\u003eforEach\u003c/code\u003e rule.\u003c/li\u003e\n\u003cli\u003eThe crafted rule includes a \u003ccode\u003epatchesJson6902\u003c/code\u003e field with a variable substitution, such as \u003ccode\u003e{{ element.nonexistent }}\u003c/code\u003e, designed to resolve to \u003ccode\u003enil\u003c/code\u003e at runtime.\u003c/li\u003e\n\u003cli\u003eThe attacker applies the malicious policy to the Kubernetes cluster. This requires appropriate permissions to create \u003ccode\u003ePolicy\u003c/code\u003e or \u003ccode\u003eClusterPolicy\u003c/code\u003e resources.\u003c/li\u003e\n\u003cli\u003eWhen a resource matching the policy\u0026rsquo;s \u003ccode\u003ematch\u003c/code\u003e criteria is created or updated, the Kyverno admission controller attempts to apply the policy.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eForEach\u003c/code\u003e function in \u003ccode\u003epkg/engine/mutate/mutation.go\u003c/code\u003e is invoked, processing the \u003ccode\u003epatchesJson6902\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe variable substitution resolves to \u003ccode\u003enil\u003c/code\u003e, leading to a bare type assertion failure: \u003ccode\u003efe[\u0026quot;patchesJson6902\u0026quot;].(string)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis triggers an unrecoverable Go panic, causing either the background controller (if triggered by \u003ccode\u003emutateExisting\u003c/code\u003e rules) or the admission controller to terminate the connection.\u003c/li\u003e\n\u003cli\u003eThe background controller enters a CrashLoopBackOff state due to the persistent \u003ccode\u003eUpdateRequest\u003c/code\u003e resources that re-trigger the panic on every restart, achieving a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial of service affecting Kyverno\u0026rsquo;s core functionalities within the Kubernetes cluster. An attacker can crash the background controller, halting critical background tasks such as generate rules, mutateExisting rules, and cleanup processes. The admission controller can also be affected, dropping connections and blocking resource operations that match the malicious policy\u0026rsquo;s criteria. If a ClusterPolicy is used, this block extends cluster-wide. This vulnerability allows even users with limited, namespace-scoped permissions (via Policy creation) to impact the entire cluster, thus escalating privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Kyverno version v1.17.2 or later to patch the vulnerability (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Kyverno Policy with Suspicious forEach\u003c/code\u003e to identify potentially malicious policies containing \u003ccode\u003eforEach\u003c/code\u003e loops with \u003ccode\u003epatchesJson6902\u003c/code\u003e fields that could trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor Kyverno controller logs for \u0026ldquo;panic: interface conversion: interface {} is nil, not string\u0026rdquo; errors, indicating a potential exploitation attempt (see Attack Chain, step 7).\u003c/li\u003e\n\u003cli\u003eImplement strict RBAC policies to limit the ability to create or modify Kyverno \u003ccode\u003ePolicy\u003c/code\u003e and \u003ccode\u003eClusterPolicy\u003c/code\u003e resources (see Impact).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T12:00:00Z","date_published":"2024-01-27T12:00:00Z","id":"/briefs/2024-01-kyverno-dos/","summary":"An unchecked type assertion in Kyverno versions v1.13.0 to v1.17.1 allows a user with permission to create a Policy or ClusterPolicy to crash the cluster-wide background controller into a persistent CrashLoopBackOff, leading to a denial of service, by crafting a malicious policy that triggers a nil pointer dereference in the forEach mutation handler.","title":"Kyverno Controller Denial of Service via forEach Mutation Panic","url":"https://feed.craftedsignal.io/briefs/2024-01-kyverno-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Policy-Engine","version":"https://jsonfeed.org/version/1.1"}