Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/fluid-cloudnative/fluid: CVE-2023-30840 #1763

Closed
GoVulnBot opened this issue May 8, 2023 · 4 comments
Closed

x/vulndb: potential Go vuln in github.com/fluid-cloudnative/fluid: CVE-2023-30840 #1763

GoVulnBot opened this issue May 8, 2023 · 4 comments
Assignees
@jba
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2023-30840 references github.com/fluid-cloudnative/fluid, which may be a Go module.

Description:
Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi pod (controlled by the csi-nodeplugin-fluid node-daemonset), they can leverage the fluid-csi service account to modify specs of all the nodes in the cluster. However, since this service account lacks list node permissions, the attacker may need to use other techniques to identify vulnerable nodes.

Once the attacker identifies and modifies the node specs, they can manipulate system-level-privileged components to access all secrets in the cluster or execute pods on other nodes. This allows them to elevate privileges beyond the compromised node and potentially gain full privileged access to the whole cluster.

To exploit this vulnerability, the attacker can make all other nodes unschedulable (for example, patch node with taints) and wait for system-critical components with high privilege to appear on the compromised node. However, this attack requires two prerequisites: a compromised node and identifying all vulnerable nodes through other means.

Version 0.8.6 contains a patch for this issue. As a workaround, delete the csi-nodeplugin-fluid daemonset in fluid-system namespace and avoid using CSI mode to mount FUSE file systems. Alternatively, using sidecar mode to mount FUSE file systems is recommended.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/fluid-cloudnative/fluid
    packages:
      - package: fluid
description: |
    Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi pod (controlled by the `csi-nodeplugin-fluid` node-daemonset), they can leverage the fluid-csi service account to modify specs of all the nodes in the cluster. However, since this service account lacks `list node` permissions, the attacker may need to use other techniques to identify vulnerable nodes.

    Once the attacker identifies and modifies the node specs, they can manipulate system-level-privileged components to access all secrets in the cluster or execute pods on other nodes. This allows them to elevate privileges beyond the compromised node and potentially gain full privileged access to the whole cluster.

    To exploit this vulnerability, the attacker can make all other nodes unschedulable (for example, patch node with taints) and wait for system-critical components with high privilege to appear on the compromised node. However, this attack requires two prerequisites: a compromised node and identifying all vulnerable nodes through other means.

    Version 0.8.6 contains a patch for this issue. As a workaround, delete the `csi-nodeplugin-fluid` daemonset in `fluid-system` namespace and avoid using CSI mode to mount FUSE file systems. Alternatively, using sidecar mode to mount FUSE file systems is recommended.
cves:
  - CVE-2023-30840
references:
  - advisory: https://github.com/fluid-cloudnative/fluid/security/advisories/GHSA-93xx-cvmc-9w3v
  - fix: https://github.com/fluid-cloudnative/fluid/commit/77c8110a3d1ec077ae2bce6bd88d296505db1550
  - fix: https://github.com/fluid-cloudnative/fluid/commit/91c05c32db131997b5ca065e869c9918a125c149
  - web: https://github.com/fluid-cloudnative/fluid/releases/tag/v0.8.6
@jba jba self-assigned this May 9, 2023
@jba
Copy link
Contributor

jba commented May 9, 2023

This is a binary. Fixes are to packages with zero importers.

@jba jba added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label May 9, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/493895 mentions this issue: data/excluded: batch add GO-2023-1763, GO-2023-1764, GO-2023-1761, GO-2023-1758, GO-2023-1754

@GoVulnBot GoVulnBot mentioned this issue Mar 15, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 3, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606785 mentions this issue: data/reports: unexclude 20 reports (5)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (5)
5ea5cbb 
  - data/reports/GO-2023-1700.yaml
  - data/reports/GO-2023-1701.yaml
  - data/reports/GO-2023-1707.yaml
  - data/reports/GO-2023-1708.yaml
  - data/reports/GO-2023-1716.yaml
  - data/reports/GO-2023-1718.yaml
  - data/reports/GO-2023-1719.yaml
  - data/reports/GO-2023-1721.yaml
  - data/reports/GO-2023-1723.yaml
  - data/reports/GO-2023-1730.yaml
  - data/reports/GO-2023-1735.yaml
  - data/reports/GO-2023-1738.yaml
  - data/reports/GO-2023-1747.yaml
  - data/reports/GO-2023-1754.yaml
  - data/reports/GO-2023-1758.yaml
  - data/reports/GO-2023-1761.yaml
  - data/reports/GO-2023-1763.yaml
  - data/reports/GO-2023-1764.yaml
  - data/reports/GO-2023-1768.yaml
  - data/reports/GO-2023-1774.yaml

Updates #1700
Updates #1701
Updates #1707
Updates #1708
Updates #1716
Updates #1718
Updates #1719
Updates #1721
Updates #1723
Updates #1730
Updates #1735
Updates #1738
Updates #1747
Updates #1754
Updates #1758
Updates #1761
Updates #1763
Updates #1764
Updates #1768
Updates #1774

Change-Id: I3fc567427d68e095cc62ea48dc9b284b2414a372
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606785
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jba jba

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @jba @GoVulnBot