[kubernetes] CVE-2021-25749: runAsNonRoot logic bypass for Windows containers

[Pushkar Joglekar <pushkarj.at.work () gmail com>]

Hello Kubernetes Community,

A security issue was discovered in Kubernetes that could allow Windows
workloads to run as ContainerAdministrator even when those workloads set
the runAsNonRoot option to true .

This issue has been rated low and assigned CVE-2021-25749
<https://hackmd.io/ndl5QD3tTUKqYdO7rfGX7A#Am-I-vulnerable>Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads
with runAsNonRoot are impacted.
Affected Versions

   - kubelet v1.20 - v1.21
   - kubelet v1.22.0 - v1.22.13
   - kubelet v1.23.0 - v1.23.10
   - kubelet v1.24.0 - v1.24.4

How do I mitigate this vulnerability?

There are no known mitigations to this vulnerability.
<https://hackmd.io/ndl5QD3tTUKqYdO7rfGX7A#Fixed-Versions>Fixed Versions

   - kubelet v1.22.14
   - kubelet v1.23.11
   - kubelet v1.23.5
   - kubelet v1.25.0

To upgrade, refer to this documentation. *For core Kubernetes:*
https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Detection

Kubernetes Audit logs may indicate if the user name was misspelled to
bypass the restriction placed on which user is a pod allowed to run as.

If you find evidence that this vulnerability has been exploited, please
contact security () kubernetes io
Additional Details

See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/issues/112192
Acknowledgements

This vulnerability was reported and fixed by Mark Rosetti (@marosset)

Thank You,

Pushkar Joglekar on behalf of the Kubernetes Security Response Committee