Executive Summary

This vulnerability exists in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The issue is in the WICD CSR auto-approver, which validates Certificate Signing Requests (CSRs) by checking if they contain the organization system:wicd-nodes. However, it does not reject additional organization values such as system:masters.

An attacker who compromises a Windows worker node with WICD credentials can submit a specially crafted CSR that includes both system:wicd-nodes and system:masters. Because the auto-approver only checks for system:wicd-nodes and allows extra groups, the CSR is auto-approved and signed by the cluster.

This results in a client certificate that grants cluster-administrator privileges (system:masters), enabling the attacker to take full control over the cluster.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker who has compromised a Windows worker node to escalate their privileges to cluster-administrator level.

This means the attacker can gain full administrative access to the entire OpenShift cluster, potentially leading to unauthorized control, data breaches, disruption of services, and manipulation or deletion of cluster resources.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring Certificate Signing Requests (CSRs) submitted to the Kubernetes API server, specifically looking for CSRs that contain both the system:wicd-nodes and system:masters groups in the Subject Organization field.

You can use kubectl commands to list and inspect CSRs for suspicious organization values.

• Run `kubectl get csr` to list all pending CSRs.
• Use `kubectl get csr <csr-name> -o jsonpath='{.spec.username} {.spec.groups}'` to check the groups associated with a specific CSR.
• Look for CSRs that include both 'system:wicd-nodes' and 'system:masters' in the groups field, which indicates potential exploitation of this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the automatic approval of CSRs from the Windows Machine Config Operator (WMCO) until a patch or fix is applied.

Review and tighten the CSR auto-approval logic to ensure that only CSRs containing exactly the system:wicd-nodes group are approved, rejecting any requests with additional groups such as system:masters.

Additionally, monitor and audit Windows worker nodes for compromise, and rotate any WICD credentials if compromise is suspected.

Apply any vendor-provided patches or updates addressing this vulnerability as soon as they become available.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to escalate privileges to cluster-administrator level, enabling full administrative access to the Red Hat OpenShift Container Platform cluster.

Such unauthorized access and control over the cluster could lead to unauthorized data access, modification, or disruption of services, which may result in non-compliance with data protection regulations such as GDPR and HIPAA that require strict access controls and protection of sensitive data.

Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of data managed within the cluster, potentially violating compliance requirements.

Useful 0 Not Useful 0