Service Notices

All Notices > Security Notices > Misconfigured Kubeflow Causes Unauthorized Access Vulnerability

Misconfigured Kubeflow Causes Unauthorized Access Vulnerability

Jun 15, 2020 GMT+08:00

I. Overview

A security team has recently disclosed an unauthorized access vulnerability caused by misconfigured Kubeflow. This vulnerability can be exploited for malicious mining or even remote server control.

Kubeflow is a machine learning tool package in the Kubernetes cluster. You can use the Kubeflow function through the API server connected to the dashboard, and then use the dashboard to manage your tasks. The dashboard is exposed by Istio ingress gateway, which is by default accessible only internally. However, if the default configuration of Istio service is set to Load-Balancer, the dashboard is exposed to the internet, thus anyone can access the dashboard and modify the Kubeflow function.

If you are Kubeflow user, check your system and implement timely security hardening.

Reference link:

https://www.microsoft.com/security/blog/2020/06/10/misconfigured-kubeflow-workloads-are-a-security-risk/?spm=a2c4g.11174386.n2.3.5c871051EQNQto

https://mp.weixin.qq.com/s/UGwxgA2ZLH4YSSuXOa_1Mw

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Users

Users who use Kubeflow and change the Istio service to the Load-Balancer are affected.

IV. Vulnerability Handling

How to check whether your cluster is affected:

1. Run the following command to check whether malicious containers are deployed in the cluster:

kubectl get pods –all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}"  | grep -i ddsfdfsaadfs

2. Check whether the dashboard is exposed to Internet. Run the following command to check the type of the Istio entry service, and ensure that it is not a load balancer with a public IP address.

kubectl get service istio-ingressgateway -n istio-system

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.