[layer5-maintainers] Fwd: [meshery-maintainers] 93755 CRM:0920000219

[Lee Calcote]

Maintainers,

Security researchers Microsoft Security Response Center found what they consider to be a vulneratbility in Meshery. This is timely considering next week’s Security Slam.

I think there is confusion regarding Meshery’s default deployment configuration and that with clarification, there may be reconsideration as to whether this is a vulnerability or an unhardened deployment.

I’ll send a reply to all asking for clarification. Everyone else is free to respond as well.

- Lee

Begin forwarded message:

From: "'Microsoft Security Response Center' via Meshery Security and Vulnerability Reports" <secu...@meshery.dev>

Subject: [meshery-maintainers] RE: 93755 CRM:0920000219

Date: March 25, 2025 at 11:59:55 AM CDT

To: "secu...@meshery.dev" <secu...@meshery.dev>

Cc: Yossi Weizman <yow...@microsoft.com>

Reply-To: Microsoft Security Response Center <sec...@microsoft.com>

Hello Meshery Team,

 

Our internal Security Research team is currently working on publishing a blog regarding a Vuln that ties into Meshery. 

 

Please look at the portion of the writeup that has to do with Meshery:

 

By default, when installing Meshery on your Kuberentes cluster via the official helm installation, the app’s interface is exposed via an external IP address.  
We discovered that anyone who can access the external IP address can sign up with a new user (Figure 4) and access the interface which provides extensive visibility into cluster activities and even enable the deployment of new pods. These capabilities grant attackers a direct  path to execute arbitrary code and gain control of underlying resources if Meshery is not secured or restricted to internal networks only

 

 

Please confirm that youve received this email. We would also like a Target Release Date in order for us to publish our blog.

 

Thank you,

 

MSRC

 

 

--
You received this message because you are subscribed to the Google Groups "Meshery Security and Vulnerability Reports" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security+u...@meshery.dev.
To view this discussion visit https://groups.google.com/a/meshery.dev/d/msgid/security/BKGNV58GQPU4.17LK6O1UEE96%40mail.msrc.microsoft.com.

--
Visit and engage with the Meshery community in the forum at http://discuss.meshery.io or in Slack at https://slack.meshery.io.
---
You received this message because you are subscribed to the Google Groups "Meshery Maintainers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to maintainers...@meshery.io.
To view this discussion visit https://groups.google.com/a/meshery.io/d/msgid/maintainers/BKGNV58GQPU4.17LK6O1UEE96%40mail.msrc.microsoft.com.

[Sangram Rath]

Hello Lee,

The images are missing.

Are you able to see the images in the original email? If yes, please attach them for reference.

To view this discussion visit https://groups.google.com/a/meshery.io/d/msgid/maintainers/7616CAC2-60E1-4B18-A998-2A23921125D0%40layer5.io.

--

Thanks,
Sangram Rath