GHSA-fcpm-6mxq-m5vv

Описание

Summary

A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource selectors. This vulnerability enables privilege escalation and violates the fundamental security boundaries that Capsule is designed to enforce.

Details

The vulnerability exists in the namespace validation webhook logic located in pkg/webhook/namespace/validation/patch.go:60-77. The critical flaw is in the conditional check that only validates tenant ownership when a namespace already has a tenant label:

Root Cause Analysis:

1. Missing Default Protection: System namespaces (kube-system, default, capsule-system) do not have the capsule.clastix.io/tenant label by default
2. Bypass Logic: The webhook only enforces tenant ownership validation when the target namespace already belongs to a tenant
3. Unrestricted Label Injection: Authenticated users can inject arbitrary labels into unprotected namespaces

Attack Vector Path:

This mirrors the CVE-2024-39690 attack pattern but uses label injection instead of ownerReference manipulation:

• CVE-2024-39690: ownerReference(user-controlled) → tenant.Status.Namespaces(system state) → quota/permission check(auth policy) → namespace hijacking
• This vulnerability: Label injection(user-controlled) → Namespace selector(system matching) → TenantResource/Quota check(auth policy) → cross-tenant resource access

PoC

Prerequisites:

• Minikube cluster with Capsule v0.10.3 installed
• Authenticated tenant user with basic RBAC permissions

Step 1: Environment Setup

Step 2: Label Injection Attack

Step 3: Exploitation via TenantResource

Step 4: Verification of Impact

Automated Testing Script: A complete vulnerability verification script is available that tests:

• Label injection into multiple system namespaces
• TenantResource exploitation
• Cross-tenant resource access verification
• Impact assessment and cleanup

Impact

Vulnerability Type: Authorization Bypass / Privilege Escalation

Who is Impacted:

• Multi-tenant Kubernetes clusters using Capsule v0.10.3 and potentially earlier versions
• Organizations relying on Capsule for tenant isolation and resource governance
• Cloud service providers offering Kubernetes-as-a-Service with Capsule-based multi-tenancy

Security Impact:

1. Multi-tenant Isolation Bypass: Attackers can access resources from other tenants or system namespaces
2. Privilege Escalation: Tenant users can gain access to cluster-wide resources and sensitive system components
3. Data Exfiltration: Potential access to secrets, configmaps, and other sensitive data in system namespaces
4. Resource Quota Bypass: Ability to consume resources outside assigned tenant boundaries
5. Policy Circumvention: Bypass network policies, security policies, and other tenant-level restrictions

Real-world Exploitation Scenarios:

• Access to kube-system secrets containing cluster certificates and service account tokens
• Modification or replication of critical system configurations
• Cross-tenant data access in shared clusters
• Potential cluster-wide compromise through system namespace access

Severity: High - This vulnerability fundamentally breaks the multi-tenant security model that Capsule is designed to provide, allowing authenticated users to escape their tenant boundaries and access system-level resources.