Kubevirt: Kubevirt API vulnerability

Created on 3 Dec 2018  路  9Comments  路  Source: kubevirt/kubevirt

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug
/kind enhancement

What happened:
After installing kubevirt 0.9.1 and 0.10.0 we found that apicalls are opening ports and there is a bot crawling for this, we had to make sure firewalls are strict (as they should be) but this was for a test env, remove the commands being run, and reboot with strict instance firewall rules and os.

What you expected to happen:
Not this

How to reproduce it (as minimally and precisely as possible):
Keep kubevirt open to the world and wait a week or a few days.

Anything else we need to know?:

root 931 71.9 0.0 98684 12840 ? Ssl Dec02 1388:34 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 2515 53.7 0.0 98552 12900 ? Ssl Dec02 696:45 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 9818 153 0.0 98680 12952 ? Ssl Nov30 7820:37 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 10043 66.7 0.0 98672 12884 ? Ssl 07:59 441:56 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 10080 128 0.0 98680 12936 ? Ssl Nov30 5760:35 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
root 10700 272 0.0 98688 12944 ? Ssl Nov29 15644:23 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 10743 44.9 0.0 98536 12888 ? Ssl 07:59 297:15 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B
brandon 19210 171 0.0 98680 12844 ? Ssl Dec01 5492:09 /tmp/nanoWatch -o pool.t00ls.ru:19000 -k -B

Environment:

  • KubeVirt version (use virtctl version): 0.9.1 & 0.10.0
  • Kubernetes version (use kubectl version): 1.10.4
  • VM or VMI specifications: Win10
  • Cloud provider or hardware configuration: GCP
  • OS (e.g. from /etc/os-release): Host is Ubuntu 16.04
  • Kernel (e.g. uname -a): (had to restart instance and lost serial connection)
  • Install tools: N/A
  • Others: N/A
kinbug sisecurity

All 9 comments

After installing kubevirt 0.9.1 and 0.10.0 we found that apicalls are opening ports and there is a bot crawling for this, we had to make sure firewalls are strict (as they should be) but this was for a test env, remove the commands being run, and reboot with strict instance firewall rules and os.

@bitbucket90 If this is really the case then this sounds severe. I am however not sure I understand this report. Mabye you can help us out with some more details. How did you install kubevirt?

At least this repo kubevirt/kubevirt and the manifest we provide on the release page do not open any ports in any way I know of. Which API calls are happening?

I see that you used GCP, is GCP by default enabling a firewall?

@bitbucket90 What do you mean by Keep kubevirt open to the world, I know you can create GCE load balancer to make external access to the cluster, but it should expose just specified services and ports.

@bitbucket90 how did you deploy kubevirt?

Kubevirt is being deployed per your recommendations (env arg then the kubectl apply -f httplink) We are doing this in a managed K8 single node cluster (using our propitiatory management system) the issue however seems to have happened twice, and may not be related to https://github.com/kubernetes/kubernetes/issues/71411 ; I believe @fabiand emailed me and am going to setup a call.

There was ingress allowed all for all ports with no limits on ip's to test some vnc clients, which is NOT recommended, however the same malware (looks to be a miner) found its way in and deployed and this was on the following:

Docker 17.06 CE, K8 1.10.4, KV 0.10.0 & 0.9.1, Ubuntu 16.04 updated to latest, no password ssh all keys. I have run this exact same setup with ports open, no kubevirt, and nothing was compromised (could be luck of the "crawl")

@bitbucket90 given the issue reported on ingress-nginx can you confirm whether or not you're using nginx for ingress?

@bitbucket90 given the issue reported on ingress-nginx can you confirm whether or not you're using nginx for ingress?

This would be it. I do apologize for the lack of response.

After receiving message from a colleague this was not deployed with nginx as ingress, however its the same crypto miner.

You mentioned 1.10.4. you sure its not https://github.com/kubernetes/kubernetes/issues/71411 ?

You mentioned 1.10.4. you sure its not kubernetes/kubernetes#71411 ?

That is what we are thinking this is related to after speaking with a few others.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

nunnatsa picture nunnatsa  路  3Comments

booxter picture booxter  路  6Comments

x8091 picture x8091  路  5Comments

shubhindia picture shubhindia  路  6Comments

dhiller picture dhiller  路  4Comments