In addition to CVE-2019-1002101 and CVE-2019-11246, Kubernetes has recently discovered another security issue concerning the kubectl cp (copy) command. This vulnerability, CVE-2019-11251, allows attackers to perform a directory traversal by using a malicious TAR file to overwrite files under any path other than the target path on the host. The process is only limited by the system permissions of the local user.

Background

The kubectl cp command is used to copy files between containers and hosts. When you copy a file from a container to your host by running the kubectl cp command, Kubernetes performs the following three steps: creates a TAR file in the container, sends the file to your host, and then decompresses the file on your host.

If an attacker has permission to run the kubectl cp command, they can send a malicious TAR file to perform a directory traversal attack on your host.

To fix this vulnerability, kubectl 1.16.0 removes support for symbolic links in the kubectl cp command. We recommend that you use kubectl exec + tar if you still need the symlink functionality. Earlier versions still support symlinks but unpack the symlinks after all the regular files have been decompressed.

Affected versions

You can run the kubectl version --client command to check your kubectl version.

Affected versions are as follows:

  • kubectl 1.0.x-1.12.x
  • kubectl 1.13.0-1.13.10 (fixed in v1.13.11)
  • kubectl 1.14.0-1.14.6 (fixed in v1.14.7)
  • kubectl 1.15.0-1.15.3 (fixed in v1.15.4)

Impact

Attackers can use the kubectl cp command to overwrite files under any path other than the target path on the host.

Fix

Upgrade kubectl. For more information, see Install and set up kubectl. Make sure to check the kubectl version after the installation.