GitOps Run allows for Kubernetes workload injection

Vulnerability

Overview

Weave GitOps, an open-source platform for GitOps-based Kubernetes management, contained a vulnerability in its gitops run feature that exposed a local S3 bucket endpoint with no authentication controls [1][2]. The S3 bucket is used to synchronize files that are subsequently applied to a Kubernetes cluster. Because the endpoint lacked any security measures, any local user or process on the same machine could read and write to the bucket without needing credentials [2].

Exploitation and

Attack Surface

An attacker with local access to the machine running gitops run could exploit this by injecting a malicious workload into the S3 bucket [2]. The attacker does not need credentials for the S3 bucket or the target Kubernetes cluster. The injected content would then be applied to the cluster through the normal synchronization process, allowing the attacker to alter cluster resources [2].

Impact

Successful exploitation enables an attacker to deploy arbitrary workloads to the Kubernetes cluster, potentially gaining control over resources, disrupting services, or exfiltrating data [2]. The lack of authentication on the S3 endpoint means that any co-located process or user can compromise the target cluster without additional authentication [2].

Mitigation

This vulnerability is fixed in Weave GitOps version v0.12.0, released on 08/12/2022, via commits 75268c4 and 966823b [1][4]. No workarounds exist; users must upgrade to the patched version [2].