[Bug]: A security issue regarding Nuclio

[sparkEchooo]

Nuclio Version checks

• I have checked that this issue has not already been reported.

• I have confirmed this bug exists on the latest version of Nuclio.

Issue Description

Summary

The Nuclio in GKE gave excessive authority when defining Service Account named "nuclio-nuclio-serviceaccountname-3bda". Besides, this Service Account is mounted in a deployment named "nuclio-dashboard", witch makes it possible for attackers to raise rights to administrators.

Detailed Analysis

1. I deployed Nuclio in the marketplace of Google's GKE cluster.
2. The clusterrole named "nuclio:nuclio.serviceAccountName-r0" defines the "*" verbs of "*". And this clusterrole is bound to the Service Account named "nuclio-nuclio-serviceaccountname-3bda".

Attacking Strategy

If a malicious user controls a specific worker node which has the deployment mentioned above , or steals the Service Account token mentioned above. He/She can raise permissions to administrator level and control the whole cluster.

Mitigation Discussion

• Developer could use the rolebinding instead of the clusterrolebinding to restrict permissions to namespace.
• Developer could specify specific permissions instead of using "cluster-admin"(*.* permissions).

A few questions

• Is it a real issue in Nuclio?
• If it's a real issue, can Nuclio mitigate the risks following my suggestions discussed in the "mitigation discussion"?

If it's a real issue, does Nuclio plan to fix this issue?

Expected Behavior

Permission escalation

Deployment Method

Kubernetes

Nuclio Version

GKE marketplace

Additional Information

No response

[liranbg]

Hi @sparkEchooo , You may use latest helm chart with https://github.com/nuclio/nuclio/blob/development/hack/k8s/helm/nuclio/values.yaml#L446 set (namespaced) and that will no create cluster role for deploying / maanging nuclio CRD

[sparkEchooo]

Hi there, Thanks for your reply!

Is the issue with nuclio on the GCP marketplace due to an outdated version?

[sparkEchooo]

Is it a real issue in Nuclio?
I will report this issue to Google.

[liranbg]

I think it does. Perhaps it takes default helm chart

[sparkEchooo]

Hi @liranbg, thank you for your reply!

May I ask whether you plan to update nuclio on GCP Marketplace by submitting a new version. If so, Can you give us a moderate CVE or public thanks for awarding our efforts?
Thanks again!

Reporter List

• Xingyu Liu(ll.travor@outlook.com, me)
• Nanzi Yang(952508578nanziyang@gmail.com/nzyang@stu.xidian.edu.cn)
• Xunqi Liu(xunqiliu@stu.xidian.edu.cn)
• Xin Guo(guox@stu.xidian.edu.cn)
• Wenbo Shen(shenwenbo@zju.edu.cn)
• Jinku Li(jkli@xidian.edu.cn)

[sparkEchooo]

Hi there,
If you're looking to update nuclio on the GCP Marketplace, this might help: https://cloud.google.com/marketplace/docs/partners/kubernetes/maintaining-product

[TomerShor]

Looks like @ganochenkodg maintains the Nuclio chart on GCP - https://github.com/GoogleCloudPlatform/click-to-deploy/tree/master/k8s/nuclio/chart/nuclio

@ganochenkodg if possible, please update the chart to allow configuring role and rolebinding instead of clusterrole and clusterrolebinding, according the the namespaced value as used in this example template: https://github.com/nuclio/nuclio/blob/development/hack/k8s/helm/nuclio/templates/role/crd-admin.yaml

[ganochenkodg]

@armandomiani i'm summoning you! are you still working on gcp marketplace?