Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-44640 (Remote code execution) #642

Closed
thrivikramgit opened this issue Aug 10, 2023 · 5 comments · Fixed by #684
Closed

CVE-2022-44640 (Remote code execution) #642

thrivikramgit opened this issue Aug 10, 2023 · 5 comments · Fixed by #684

Comments

@thrivikramgit
Copy link

Summary

It was observed that the Image registry.k8s.io/sig-storage/smbplugin:v1.11.0 was using heimdal that was vulnerable for CVE-2022-44640.

Details

because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC) which leads to execute arbitrary code.

PoC

Scan the Image registry.k8s.io/sig-storage/smbplugin:v1.11.0 using any docker image scanner like Trivy. We should see the affected CVE.
https://github.com/kubernetes-csi/csi-driver-smb/blob/master/deploy/v1.11.0/csi-smb-controller.yaml#L72

Impact

This is potentially a remote code execution (RCE) against Heimdal KDCs.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-44640
GHSA-88pm-hfmq-7vv4
@andyzhangx
Copy link
Member

will cut a new release v1.12.0 since registry.k8s.io/sig-storage/smbplugin:canary does not have CVE

@andyzhangx
Copy link
Member

pls try with registry.k8s.io/sig-storage/smbplugin:v1.12.0

@thrivikramgit
Copy link
Author

Hello @andyzhangx,
I tried again with Trivy and found that the CVE still exists for the image registry.k8s.io/sig-storage/smbplugin:v1.12.0. Could you please check this again?

Thanks for your support

@andyzhangx
Copy link
Member

Hello @andyzhangx, I tried again with Trivy and found that the CVE still exists for the image registry.k8s.io/sig-storage/smbplugin:v1.12.0. Could you please check this again?

Thanks for your support

@thrivikramgit we only fix the package with fixed version, there is no fix version for libwbclient0 package.

# trivy image --ignore-unfixed registry.k8s.io/sig-storage/smbplugin:v1.12.0
2023-08-30T11:50:06.081Z        INFO    Vulnerability scanning is enabled
2023-08-30T11:50:06.081Z        INFO    Secret scanning is enabled
2023-08-30T11:50:06.081Z        INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-08-30T11:50:06.081Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-08-30T11:50:06.362Z        INFO    Detected OS: debian
2023-08-30T11:50:06.362Z        INFO    Detecting Debian vulnerabilities...
2023-08-30T11:50:06.373Z        INFO    Number of language-specific files: 1
2023-08-30T11:50:06.373Z        INFO    Detecting gobinary vulnerabilities...

registry.k8s.io/sig-storage/smbplugin:v1.12.0 (debian 11.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

â  libwbclient0         â  CVE-2022-44640   â  CRITICAL â  2:4.13.13+dfsg-1~deb11u5 â                â  Heimdal before 7.7.1 allows remote attackers to execute      â
â                       â                   â           â                           â                â  arbitrary code ...                                           â
â                       â                   â           â                           â                â  https://avd.aquasec.com/nvd/cve-2022-44640                   â

@andyzhangx
Copy link
Member

would be fixed by #657

@andyzhangx andyzhangx reopened this Sep 3, 2023
@andyzhangx andyzhangx mentioned this issue Nov 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: switch to bookworm debian base image andyzhangx/csi-driver-smb
2 participants
@andyzhangx @thrivikramgit