CVE-2019-11246: Kubernetes Potential Directory Traversal via kubectl cp

On June 26, the Kubernetes Product Security Team published a security announcement for a newly patched vulnerability in Kubernetes.

The announcement disclosed CVE-2019-11246, a potential directory traversal vulnerability identified in kubectl, the command line interface used to issue commands to Kubernetes clusters. The vulnerability exists within the kubectl copy operation (`kubectl cp`), which is used to copy files and directories to and from Kubernetes containers. The announcement notes this is similar to CVE-2019-1002101, another Kubernetes `kubectl cp` vulnerability that was reported at the end of March 2019 and detailed in a blog from StackRox. It appears the previous fix for CVE-2019-1002101 was incomplete and researchers identified a new exploit method. This continues a trend of `kubectl cp` directory traversal vulnerabilities, as a similar vulnerability, CVE-2018-1002100, was discovered and reported in March 2018.

Exploitation of CVE-2019-11246 follows in its predecessors footsteps, leading to directory traversal, allowing for the creation or replacement of files on a user’s system. However, the vulnerability would require an attacker to replace the tar binary inside a container with a malicious version and wait for the victim to run the `kubectl cp` command.

Patches for CVE-2019-11246 are available. These patched versions include Kubernetes 1.12.9, 1.13.6 and 14.2 or newer. Users can check to see whether or not they’re running a vulnerable version of kubectl by running the `kubectl version --client` command. However, the Kubernetes Product Security Team cautions that “Not all instructions will provide up-to-date kubectl versions at the time of this announcement” and advises users confirm the version using the version command referenced above when upgrading.

Additionally, Google Cloud issued an advisory for Google Kubernetes Engine (GKE) earlier today. The advisory specifies all versions of GKE for gcloud are affected by CVE-2019-11246 and recommend users upgrade to the latest patch “when it becomes available” indicating that patches are not yet available.