CVE-2023-34091 in Kyverno
Summary
by MITRE • 06/01/2023
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `Enforce`. This situation occurs as resources pending deletion were being consciously exempted by Kyverno, as a way to reduce processing load as policies are typically not applied to objects which are being deleted. However, this could potentially result in allowing a malicious user to leverage the Kubernetes finalizers feature by setting a finalizer which causes the Kubernetes API server to set the `deletionTimestamp` and then not completing the delete operation as a way to explicitly to bypass a Kyverno policy. Note that this is not applicable to Kubernetes Pods but, as an example, a Kubernetes Service resource can be manipulated using an indefinite finalizer to bypass policies. This is resolved in Kyverno 1.10.0. There is no known workaround.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/01/2023
CVE-2023-34091 represents a critical authorization bypass vulnerability in Kyverno policy engine versions prior to 1.10.0, where resources with defined deletionTimestamp fields can evade policy enforcement mechanisms. This vulnerability stems from Kyverno's intentional exemption of resources pending deletion to optimize processing performance, as documented in CWE-284 for improper access control. The flaw allows malicious actors to exploit Kubernetes finalizers by attaching indefinite finalizers to resources, causing the API server to set deletionTimestamp without completing the deletion process, thereby maintaining the resource in a state where Kyverno policies are not enforced despite validationFailureAction being set to Enforce. The vulnerability specifically impacts Kubernetes resources other than Pods, making Services and other resource types susceptible to policy evasion through this mechanism.
The technical implementation of this vulnerability exploits the fundamental Kubernetes resource lifecycle management where finalizers prevent resource deletion until they are removed from the resource's spec. When a finalizer is present, Kubernetes sets the deletionTimestamp but does not proceed with actual deletion, creating a limbo state where Kyverno's policy engine incorrectly assumes the resource should not be processed. This misclassification occurs because Kyverno's policy engine prioritizes performance optimization by skipping policy evaluation for resources with deletionTimestamp, assuming they are transient and not requiring policy enforcement. The vulnerability manifests as a direct violation of the principle of least privilege and privilege separation, as defined in MITRE ATT&CK framework under technique T1566 for credential access through privilege escalation.
Operational impact of this vulnerability extends beyond simple policy bypass to potentially enable persistent malicious activities within Kubernetes clusters. Attackers can leverage this vulnerability to maintain unauthorized access or execute malicious operations within resources that should be protected by Kyverno policies, particularly in environments where policy enforcement is critical for security compliance. The vulnerability affects the integrity and availability of cluster resources, as malicious actors can manipulate resource states to circumvent security controls without detection. This creates a significant risk for organizations relying on Kyverno for enforcing security policies, especially in multi-tenant environments or regulated industries where strict compliance is mandatory. The vulnerability's impact is amplified by the fact that it can be exploited without requiring elevated privileges beyond standard user access to manipulate finalizers.
Mitigation for CVE-2023-34091 requires immediate upgrade to Kyverno version 1.10.0 or later, as no workaround exists to address the underlying architectural flaw. Organizations should implement comprehensive monitoring to detect potential exploitation attempts through finalizer manipulation and establish automated alerting for unusual resource state changes. Security teams should conduct thorough assessments of existing Kyverno policies to identify resources that may be vulnerable to this bypass and ensure proper enforcement mechanisms are in place. The fix implemented in version 1.10.0 addresses the core issue by modifying Kyverno's resource processing logic to properly evaluate policies on resources with deletionTimestamp regardless of their deletion state, aligning with proper access control implementations and ensuring that enforcement actions are consistently applied as configured. Organizations should also review their Kubernetes resource management practices to minimize the attack surface and implement additional security controls beyond policy enforcement to protect against similar exploitation vectors.