[Security Advisory] CVE-2022-31076 and CVE-2022-31077: CloudCore may be attacked by a malicious message

17 views
Skip to first unread message

Linguohui (lin)

unread,
Jun 24, 2022, 10:33:11 AM6/24/22
to kube...@googlegroups.com

Hello KubeEdge Community,

Two security issue was discovered in KubeEdge:

·         A malicious message can crash CloudCore by triggering a nil-pointer dereference in the UDS Server. This issue has been rated Moderate and assigned CVE-2022-31076.

Score: 4.2, CVSS link is https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

·         A malicious message response from KubeEdge can crash the CSI Driver controller server by triggering a nil-pointer dereference panic. This issue has been rated Moderate and assigned CVE-2022-31077.

Score: 4.0, CVSS link is https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Am I vulnerable?

·         Issue CVE-2022-31076:

It will be affected only when users turn on the unixsocket switch in the config file cloudcore.yaml as below:

modules: cloudHub: ... unixsocket: address: xxx enable: true

·         Issue CVE-2022-31077:

When the user launches the csidriver then CloudCore may be attacked.

Affected Versions

<=1.10.0, 1.9.2, 1.8.2

How do I mitigate this vulnerability?

This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue.

Fixed Versions

1.11.0, 1.10.1, and 1.9.3

Detection

The issues were found as a build failure by OSS-Fuzz. As for the module CSI driver and UDS server of CloudCore, a double pointer parameter is passed to json.Unmarshal(). If json.Unmarshal() is passed the bytes []byte{“n”, “u”, “l”, “l”} as its first parameter and a double pointer as its second, the struct to which the buffer should be unmarshalled (passed as the second parameter) will be nil.

A similar issue was found in another open source project that Ada Logics previously contributed security work to. See https://adalogics.com/blog/fuzzing-istio-cve-CVE-2022-23635 for more info which describes the root cause in more detail.

If you find evidence that this vulnerability has been exploited, please contact cncf-kubeed...@lists.cncf.io

Additional Details

See the GitHub advisory for more details:

·         CVE-2022-31076: Please see https://github.com/kubeedge/kubeedge/security/advisories/GHSA-8f4f-v9x5-cg6j for more details.

·         CVE-2022-31077: Please see https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x938-fvfw-7jh5 for more details.

Acknowledgements

These vulnerabilities were reported by David Korczynski and Adam Korczynski of ADA Logics during a security audit sponsored by CNCF and facilitated by OSTIF.

The issues was fixed and coordinated by KubeEdge sig-security and Security Team.

Thank You,

Vincent on behalf of the KubeEdge Security Team

Reply all
Reply to author
Forward
0 new messages