CVE-2018-18264
published 2019-01-03CVE-2018-18264: Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
PriorityP276high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
70.37%
99.3th percentile
Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kubernetes | dashboard | < 1.10.1 | 1.10.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Nuclei template matcher: HTTP 200 response with body containing both 'apiVersion' and 'objectRef' strings indicates successful unauthenticated access to Kubernetes Dashboard secrets endpoint ↗
- →Trend Micro IPS rule 1009493 specifically covers CVE-2018-18264 Kubernetes Dashboard Authentication Bypass ↗
- →Trend Micro Network Security rule 34487 (HTTP) and 34488 (HTTPS) detect Kubernetes Dashboard Authentication Bypass traffic ↗
- →Shodan queries for exposed Kubernetes Dashboard instances that may be vulnerable ↗
- ·The vulnerability only affects Kubernetes Dashboard versions before 1.10.1; the fix was introduced in that release ↗
- ·The Nuclei template uses stop-at-first-match across two URL paths, meaning only the first matching path is tested per scan ↗
- ·Red Hat confirmed this issue did not affect heketi shipped with Red Hat Gluster Storage 3 as it does not ship kubernetes dashboard ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
dashboard: Authentication bypass resulting in information exposure
vendor_redhat·2018-10-11·CVSS 7.5
CVE-2018-18264 [HIGH] CWE-305 dashboard: Authentication bypass resulting in information exposure
dashboard: Authentication bypass resulting in information exposure
Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
Statement: This issue did not affect the versions of heketi shipped with 'Red Hat Gluster Storage 3' as it does not ship kubernetes dashboard.
Package: heketi (Red Hat Storage 3) - Not affected
GHSA
GHSA-7mh5-fh6p-8pw2: Kubernetes Dashboard before 1
ghsa_unreviewed·2022-05-13
CVE-2018-18264 [HIGH] CWE-306 GHSA-7mh5-fh6p-8pw2: Kubernetes Dashboard before 1
Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
No detection rules found.
Nuclei
Kubernetes Dashboard <1.10.1 - Authentication Bypass
nuclei·CVSS 7.5
CVE-2018-18264 [HIGH] Kubernetes Dashboard <1.10.1 - Authentication Bypass
Kubernetes Dashboard <1.10.1 - Authentication Bypass
Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
Template:
id: CVE-2018-18264
info:
name: Kubernetes Dashboard <1.10.1 - Authentication Bypass
author: edoardottt
severity: high
description: |
Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster.
impact: |
An attacker can bypass authentication and gain unauthorized access to the Kubernetes Dashboard, potentially leading to further compromise of the Kubernetes cluster.
remediation: |
Upgrade to Kubernetes Dashboard version 1.10.1 or later to mitigate the authentication bypass vulnerabil
Trendmicro
Analyzing How TeamTNT Used Compromised Docker Hub Accounts
blogs_trendmicro·2021-12-01
Analyzing How TeamTNT Used Compromised Docker Hub Accounts
Cloud
## Analyzing How TeamTNT Used Compromised Docker Hub Accounts
Following our previous disclosure of compromised Docker hub accounts delivering cryptocurrency miners, we analyze these accounts and discover more malicious actions that you need to be aware of.
By: Trend Micro Research Dec 01, 2021 Read time: ( words)
Save to Folio
In early November, we disclosed that compromised Docker Hub accounts were being used for cryptocurrency mining and that these activities were tied to the TeamTNT threat actor. While those accounts have now been removed, we were still able to investigate TeamTNT’s activities in connection with these compromised accounts.
In addition to the behavior we noted earlier, we identified several other actions that the same threat actor carried out in different ven
Trendmicro
Analyzing How TeamTNT Used Compromised Docker Hub Accounts
blogs_trendmicro·2021-12-01
Analyzing How TeamTNT Used Compromised Docker Hub Accounts
Nube
## Analyzing How TeamTNT Used Compromised Docker Hub Accounts
Following our previous disclosure of compromised Docker hub accounts delivering cryptocurrency miners, we analyze these accounts and discover more malicious actions that you need to be aware of.
By: Trend Micro Research Dec 01, 2021 Read time: ( words)
Save to Folio
In early November, we disclosed that compromised Docker Hub accounts were being used for cryptocurrency mining and that these activities were tied to the TeamTNT threat actor. While those accounts have now been removed, we were still able to investigate TeamTNT’s activities in connection with these compromised accounts.
In addition to the behavior we noted earlier, we identified several other actions that the same threat actor carried out in different venu
Trendmicro
Analyzing How TeamTNT Used Compromised Docker Hub Accounts
blogs_trendmicro·2021-12-01
Analyzing How TeamTNT Used Compromised Docker Hub Accounts
Cloud
# Analyzing How TeamTNT Used Compromised Docker Hub Accounts
Following our previous disclosure of compromised Docker hub accounts delivering cryptocurrency miners, we analyze these accounts and discover more malicious actions that you need to be aware of.
By: Trend Micro Research
2021/12/01
Read time: ( words)
Save to Folio
In early November, we disclosed that compromised Docker Hub accounts were being used for cryptocurrency mining and that these activities were tied to the TeamTNT threat actor. While those accounts have now been removed, we were still able to investigate TeamTNT’s activities in connection with these compromised accounts.
In addition to the behavior we noted earlier, we identified several other actions that the same threat actor carried out in different venue
Trendmicro
Analyzing How TeamTNT Used Compromised Docker Hub Accounts
blogs_trendmicro·2021-12-01
Analyzing How TeamTNT Used Compromised Docker Hub Accounts
Cloud
## Analyzing How TeamTNT Used Compromised Docker Hub Accounts
Following our previous disclosure of compromised Docker hub accounts delivering cryptocurrency miners, we analyze these accounts and discover more malicious actions that you need to be aware of.
By: Trend Micro Research 2021/12/01 Read time: ( words)
Save to Folio
In early November, we disclosed that compromised Docker Hub accounts were being used for cryptocurrency mining and that these activities were tied to the TeamTNT threat actor. While those accounts have now been removed, we were still able to investigate TeamTNT’s activities in connection with these compromised accounts.
In addition to the behavior we noted earlier, we identified several other actions that the same threat actor carried out in different venue
Bugzilla
CVE-2018-18264 dashboard: Authentication bypass resulting in information exposure
bugzilla·2019-01-03·CVSS 7.5
CVE-2018-18264 [HIGH] CVE-2018-18264 dashboard: Authentication bypass resulting in information exposure
CVE-2018-18264 dashboard: Authentication bypass resulting in information exposure
A vulnerability was found in Kubernetes Dashboard which allows users the ability to bypass authentication and gain access to the Dashboard as a service account with the ability to read secrets within the cluster.
External References:
https://groups.google.com/forum/#!topic/kubernetes-announce/yBrFf5nmvfI
Upstream Pull Request:
https://github.com/kubernetes/dashboard/pull/3289
Discussion:
openshift-enterprise does not ship k8s dashboard, openshift implements its own.
---
Statement:
This issue did not affect the versions of heketi shipped with 'Red Hat Gluster Storage 3' as it does not ship kubernetes dashboard.
http://www.securityfocus.com/bid/106493https://github.com/kubernetes/dashboard/pull/3289https://github.com/kubernetes/dashboard/pull/3400https://github.com/kubernetes/dashboard/releases/tag/v1.10.1https://groups.google.com/forum/#%21topic/kubernetes-announce/yBrFf5nmvfIhttps://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/http://www.securityfocus.com/bid/106493https://github.com/kubernetes/dashboard/pull/3289https://github.com/kubernetes/dashboard/pull/3400https://github.com/kubernetes/dashboard/releases/tag/v1.10.1https://groups.google.com/forum/#%21topic/kubernetes-announce/yBrFf5nmvfIhttps://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/
2019-01-03
Published