The vulnerability could let attackers introduce malicious code into cloud production environments.
Kyverno’s admission controller offers a signature verification mechanism to ensure that only signed container images can enter a Kubernetes cluster.
The vulnerability, tracked as CVE-2022-47633, allows a user to bypass the mentioned signature verification.
How the Vulnerability affects:
Attackers might host these images on compromised accounts and use phishing attacks to trick users into using them as well.
- The user is persuaded to use a malicious proxy to download the container images or to run the signed image from the malicious container registry.
- When the admission controller is asked to validate, it requests a signature from the container registry and the image manifest (to get the image hash accordingly).
- The admission controller verifies the signed image signature returned by the malicious proxy.
- CVE-2022-47633 causes the admission controller to request the manifest of the signed image once more to obtain the digest for mutation. Still, the malicious registry returns it for the unsigned and malicious image.
- Given approval, the pod starts running the malicious image.
Version 1.8.5 addresses the vulnerability by ensuring that the same image hash used to verify signatures is also used to modify the workload specification.