CVE-2022-44640 (Remote code execution)

Question

CVE-2022-44640 (Remote code execution)

thrivikramgit opened this issue a year ago · comments

Summary

It was observed that the Image registry.k8s.io/sig-storage/smbplugin:v1.11.0 was using heimdal that was vulnerable for CVE-2022-44640.

Details

because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC) which leads to execute arbitrary code.

PoC

Scan the Image registry.k8s.io/sig-storage/smbplugin:v1.11.0 using any docker image scanner like Trivy. We should see the affected CVE.
https://github.com/kubernetes-csi/csi-driver-smb/blob/master/deploy/v1.11.0/csi-smb-controller.yaml#L72

Impact

This is potentially a remote code execution (RCE) against Heimdal KDCs.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-44640
GHSA-88pm-hfmq-7vv4

Andy Zhang · Answer 1 · Thu Aug 10 2023 16:39:19 GMT+0800 (China Standard Time)

will cut a new release v1.12.0 since registry.k8s.io/sig-storage/smbplugin:canary does not have CVE

Andy Zhang · Answer 2 · Mon Aug 14 2023 21:56:11 GMT+0800 (China Standard Time)

pls try with registry.k8s.io/sig-storage/smbplugin:v1.12.0

Vikram · Answer 3 · Wed Aug 30 2023 19:04:34 GMT+0800 (China Standard Time)

Hello @andyzhangx,
I tried again with Trivy and found that the CVE still exists for the image registry.k8s.io/sig-storage/smbplugin:v1.12.0. Could you please check this again?

Thanks for your support

Andy Zhang · Answer 4 · Wed Aug 30 2023 19:52:31 GMT+0800 (China Standard Time)

Hello @andyzhangx, I tried again with Trivy and found that the CVE still exists for the image registry.k8s.io/sig-storage/smbplugin:v1.12.0. Could you please check this again?

Thanks for your support

@thrivikramgit we only fix the package with fixed version, there is no fix version for libwbclient0 package.

# trivy image --ignore-unfixed registry.k8s.io/sig-storage/smbplugin:v1.12.0
2023-08-30T11:50:06.081Z        INFO    Vulnerability scanning is enabled
2023-08-30T11:50:06.081Z        INFO    Secret scanning is enabled
2023-08-30T11:50:06.081Z        INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-08-30T11:50:06.081Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-08-30T11:50:06.362Z        INFO    Detected OS: debian
2023-08-30T11:50:06.362Z        INFO    Detecting Debian vulnerabilities...
2023-08-30T11:50:06.373Z        INFO    Number of language-specific files: 1
2023-08-30T11:50:06.373Z        INFO    Detecting gobinary vulnerabilities...

registry.k8s.io/sig-storage/smbplugin:v1.12.0 (debian 11.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

â  libwbclient0         â  CVE-2022-44640   â  CRITICAL â  2:4.13.13+dfsg-1~deb11u5 â                â  Heimdal before 7.7.1 allows remote attackers to execute      â
â                       â                   â           â                           â                â  arbitrary code ...                                           â
â                       â                   â           â                           â                â  https://avd.aquasec.com/nvd/cve-2022-44640                   â

Andy Zhang · Answer 5 · Sun Sep 03 2023 17:21:45 GMT+0800 (China Standard Time)

would be fixed by #657