Privilege escalation vulnerability in MicroK8s allows a low privilege user with local access to obtain root access to the host by provisioning a privileged container. Fixed in MicroK8s 1.15.3.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Microk8s | Canonical | * | 1.15.3 (excluding) |
| Microk8s | Ubuntu | snap | * |
| Microk8s | Ubuntu | upstream | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html
References
- https://discuss.kubernetes.io/t/explicit-use-of-sudo-in-microk8s-cli/7605
- https://github.com/ubuntu/microk8s/pull/590
- https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15789.html
- https://pulsesecurity.co.nz/advisories/microk8s-privilege-escalation
- https://discuss.kubernetes.io/t/explicit-use-of-sudo-in-microk8s-cli/7605
- https://github.com/ubuntu/microk8s/pull/590
- https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15789.html
- https://pulsesecurity.co.nz/advisories/microk8s-privilege-escalation