CVE-2024-10220: Kubernetes kubelet RCE Vulnerability

CVE-2024-10220 Overview

The Kubernetes kubelet component contains a critical vulnerability that allows arbitrary command execution via specially crafted gitRepo volumes. This path traversal flaw (CWE-22) enables attackers with pod creation privileges to execute arbitrary commands on the underlying kubelet host node, potentially leading to complete cluster compromise.

Critical Impact

Attackers with the ability to create pods using gitRepo volumes can achieve arbitrary command execution on kubelet nodes, potentially compromising the entire Kubernetes cluster infrastructure.

Affected Products

• Kubernetes kubelet through version 1.28.11
• Kubernetes kubelet versions 1.29.0 through 1.29.6
• Kubernetes kubelet versions 1.30.0 through 1.30.2

Discovery Timeline

• 2024-11-22 - CVE-2024-10220 published to NVD
• 2024-11-22 - Last updated in NVD database

Technical Details for CVE-2024-10220

Vulnerability Analysis

This vulnerability exploits the gitRepo volume type in Kubernetes, which is a deprecated feature that allows pods to mount a git repository as a volume. The flaw resides in how the kubelet processes the gitRepo volume specification, specifically failing to properly sanitize or validate the repository path and related parameters before executing git commands.

When a malicious actor creates a pod with a specially crafted gitRepo volume specification, the kubelet executes git operations without adequate input validation. This allows an attacker to inject arbitrary commands that execute with the privileges of the kubelet process, which typically runs as root on the host node.

The attack is network-accessible and requires low privileges (the ability to create pods with gitRepo volumes). No user interaction is required for exploitation, making this vulnerability particularly dangerous in multi-tenant Kubernetes environments where users may have pod creation capabilities.

Root Cause

The root cause is improper input validation and path traversal (CWE-22) in the kubelet's handling of gitRepo volume specifications. The kubelet fails to properly sanitize repository URLs, directory paths, and revision parameters before passing them to shell commands, allowing command injection through specially crafted values.

Attack Vector

The attack leverages the network-accessible Kubernetes API to submit malicious pod specifications. An attacker with credentials that allow pod creation (including gitRepo volumes) can craft a pod manifest with malicious gitRepo volume parameters. When the kubelet processes this pod specification, it executes the injected commands on the host node with kubelet privileges.

The vulnerability is particularly concerning because:

• It requires only low-level privileges (pod creation)
• No user interaction is needed
• Successful exploitation provides high impact to both confidentiality and integrity
• The gitRepo volume type, while deprecated, remains functional in affected versions

Detection Methods for CVE-2024-10220

Indicators of Compromise

• Pods created with gitRepo volume specifications, especially those with unusual repository URLs or directory paths
• Unexpected process execution on kubelet nodes originating from git-related operations
• Anomalous network connections from kubelet nodes to external git repositories
• Unusual file system modifications in node directories associated with volume mounts

Detection Strategies

• Monitor Kubernetes audit logs for pod creation events that include gitRepo volume types
• Implement admission controllers to block or alert on pods using deprecated gitRepo volumes
• Deploy runtime security monitoring on kubelet nodes to detect command injection patterns
• Configure SentinelOne Kubernetes protection to identify suspicious container and node activities

Monitoring Recommendations

• Enable Kubernetes audit logging with detailed request body logging for pod creation events
• Set up alerts for any use of gitRepo volumes in production clusters
• Implement node-level process monitoring to detect unexpected command execution
• Deploy SentinelOne Cloud Workload Protection for comprehensive kubelet and container runtime monitoring

How to Mitigate CVE-2024-10220

Immediate Actions Required

• Upgrade Kubernetes to patched versions: 1.28.12+, 1.29.7+, or 1.30.3+
• Implement admission controllers to deny pods with gitRepo volume specifications
• Review existing pods and deployments for gitRepo volume usage and migrate to alternative solutions
• Apply network policies to restrict kubelet access to trusted networks only

Patch Information

Kubernetes has released security patches addressing this vulnerability. Organizations should upgrade to the following versions or later:

• Version 1.28.12 or later for the 1.28.x branch
• Version 1.29.7 or later for the 1.29.x branch
• Version 1.30.3 or later for the 1.30.x branch

For detailed information, refer to the Kubernetes Security Announcement, GitHub Issue Discussion, and OSS-Security Advisory.

Workarounds

• Deploy admission controllers (such as OPA Gatekeeper or Kyverno) to block gitRepo volume usage
• Use init containers with git operations instead of gitRepo volumes as a migration strategy
• Restrict RBAC permissions to prevent untrusted users from creating pods with volume specifications
• Consider implementing PodSecurityPolicies or Pod Security Standards to limit volume type usage

# Example: Kyverno policy to block gitRepo volumes
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-gitrepo-volumes
spec:
  validationFailureAction: Enforce
  rules:
  - name: deny-gitrepo-volumes
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "gitRepo volumes are not allowed due to CVE-2024-10220"
      pattern:
        spec:
          =(volumes):
          - X(gitRepo): "null"