FluxCD Security Audit
11th November, 2021Ada Logics Ltd. recently performed a security audit and fuzzing integration work of the CI/CD automation tool Flux. Flux is composed of a set of custom Kubernetes controllers together with a shared utility library. The work was commissioned by the Cloud Native Computing Foundation and facilitated by the OSTIF.
The engagement had a broad scope, in that we both reviewed their documentation, integrated fuzzing for all of the controllers as well as manually audited the code for security issues. In total, the audit found one high severity vulnerability, four medium severity issues and 13 low severity issues. We integrated a total of twenty fuzzers.
The high severity issue is a privilege escalation vulnerability where less-privileged users of Flux can escalate to cluster admin by way of constructing specialised Kubernetes objects and have Flux consume those. In essence, this breaks the Flux multi-tenancy implementation. The issues was assigned CVE-2021-41254 and full details are available here:
CVE-2021-41254: Privilege escalation to cluster admin on multi-tenant Flux.
The fuzzing work on Flux is interesting from the perspective of we’re not aware of much fuzzing having been done against Kubernetes custom controllers. In essence, the idea is to set up a simulated Kubernetes environment and then trigger the reconciliation process of the controller. Although we are much familiar with fuzzing this was a relatively new type of fuzzer to write. The fuzzing of the custom controllers led to the discovery of multiple nil-dereferences as well as out-of-bounds accesses, and, additionally the fuzzers are set up to run on OSS-Fuzz which will likely lead to more issues being found in the future.
We provide a full report on the Flux audit with comprehensive details on the engagement and this report can be found here: https://fluxcd.io/FluxFinalReport-v1.1.pdf.
For further details, please see:
- Flux blog on the audit: https://fluxcd.io/blog/2021-11-10-flux-security-audit
- CNCF blog on the audit: https://www.cncf.io/blog/2021/11/11/flux-security-audit-has-concluded/
- OSTIF blog post on the audit: https://ostif.org/our-audit-of-flux2-is-complete/