CVE-2020-8567 in Secrets Store CSI Driver Vault Plugin
Summary
by MITRE • 01/22/2021
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/19/2021
The vulnerability identified as CVE-2020-8567 affects the Kubernetes Secrets Store Container Storage Interface CSI Driver plugins for HashiCorp Vault, Microsoft Azure, and Google Cloud Platform. This security flaw exists in versions prior to v0.0.6 for Vault, v0.0.10 for Azure, and v0.2.0 for GCP plugins, representing a critical path traversal and privilege escalation vulnerability within containerized environments. The issue stems from inadequate input validation and sanitization within the plugin implementations that handle SecretProviderClass objects, which are Kubernetes resources used to configure secret providers for the CSI driver.
The technical flaw manifests when attackers can create malicious SecretProviderClass objects that contain specially crafted paths or symbolic links that bypass normal file system access controls. These crafted objects allow adversaries to write secret data to arbitrary locations on the host filesystem, including highly sensitive directories such as /var/lib/kubelet/pods where kubelet stores pod-specific information and secrets. This vulnerability directly maps to CWE-22 Path Traversal and CWE-73 Path Traversal, both of which are classified under the broader category of improper input validation. The flaw enables attackers to potentially overwrite critical system files, inject malicious content into running containers, or access sensitive data that should remain isolated within the pod's security boundaries.
The operational impact of this vulnerability is severe and far-reaching within Kubernetes environments. Attackers who can create or modify SecretProviderClass objects gain the ability to write files to critical host directories, potentially compromising the entire node's security posture. This capability allows for privilege escalation attacks where attackers can modify pod configurations, inject malicious code into running containers, or establish persistent backdoors on the host system. The vulnerability particularly affects multi-tenant Kubernetes clusters where different users or applications share the same infrastructure, as it could enable one user to compromise another's pods or access sensitive data from other workloads. From an ATT&CK framework perspective, this vulnerability maps to T1059 Command and Scripting Interpreter and T1078 Valid Accounts, enabling adversaries to maintain persistence and execute arbitrary code on the host system.
Mitigation strategies for CVE-2020-8567 require immediate implementation of version updates to the affected plugins, ensuring all instances are upgraded to versions v0.0.6 or later for Vault, v0.0.10 or later for Azure, and v0.2.0 or later for GCP. Organizations should implement strict access controls and RBAC policies to limit who can create or modify SecretProviderClass objects within their clusters. Additional protective measures include implementing pod security policies that restrict file system mounts, monitoring for suspicious file creation patterns in critical directories, and conducting regular security audits of CSI driver configurations. The vulnerability highlights the importance of validating all user inputs and implementing proper path sanitization techniques, particularly in containerized environments where the attack surface is already expanded due to shared infrastructure and complex networking configurations.