Introduction
CVE-2023-27483 has just been released, affecting users of crossplane-runtime libraries in a Kubernetes cluster. In this blog you will learn how to find out if you are affected, possible mitigations, and how KSOC can help. In general, you can protect yourself against exploitation of this CVE with the patched versions of crossplane-runtime that are available. We recommend considering a version upgrade before implementing other mitigation techniques.
What is it
Crossplane is a set of Golang libraries which allows developers to build a Kubernetes control plane that crosses multiple cloud service providers. CVE-2023-27483 is a High rated vulnerability scoring a 7.5 on the CVSS scale. Affected versions of Crossplane which use the ‘Paved’ type’s ‘SetValue’ method with user provided input have the potential to consume excessive amounts of memory unless there has been an added input validation check. A remote authenticated attacker can craft a special request using that method in order to cause a denial of service. Ada Logics, sponsored by the CNCF, were able to perform fuzz testing to prove the exploit as mentioned here.
Mitigation
To fix the issue, the remediated package versions have added the required input validation into the Crossplane package. For customers using vulnerable crossplane packages who cannot upgrade, we suggest to build input validation on the path before passing it to ‘SetValue’. As the paths’ index is capped at max uint32, KSOC recommends that the input validation would at a minimum constrain the index size to be below 4294967295.
Detecting Exploitation attempts
Some WAF tools may have the ability to highlight HTTP requests which contain the DoS payload. In order to exploit the vulnerability, an attacker would need to be authenticated to the control plane and send a payload which contains: ‘Paved’ type to the ‘FieldPath’ package where the message exceeds the size of uint32. Customers who cannot upgrade Crossplane should consider working with their WAF vendor to create a custom rule that works for their environment.
How can I tell if I am affected?
The affected versions of Crossplane are <0.16.1, >= 0.17.0, and <0.19.2. This has been patched in 0.19.2 and 0.16.1. Image scanning tools which output a SBOM should list the crossplane package version running in the control plane images. Not all vulnerability databases are updated at the same frequency, so referencing the SBOM package version of crossplane will quickly identify if there is an affected version running in your cluster.
How can KSOC help?
KSOC can help detect and find vulnerable versions of Crossplane deployed across your clusters. While most image or IaC scanning capabilities will only be able to detect the presence of the vulnerable packages, KSOC can detect whether the vulnerable packages are actually deployed, whether via image scanning or creation of a SBOM. That is the advantage of our real-time, event-driven Kubernetes Security and Posture Management (KSPM) platform.
See what real-time looks like in the Kubernetes platform with this on-demand 20 minute demo.