KubeEdge holistic security audit engagement11th July, 2022
Ada Logics has recently performed a security audit of KubeEdge. KubeEdge is an open source project that extends native containerized application orchestration and device management to hosts at the Edge. It is built upon Kubernetes and provides core infrastructure support for networking, application deployment and metadata synchronization between cloud and edge. KubeEdge was accepted to the CNCF in March 2019 and is currently at the incubating maturity level. The audit was sponsored by the CNCF and facilitated by OSTIF.
Goals of the audit
The security review had a holistic approach and had several high level goals. First, we formalised a threat model of KubeEdge, which identified the exposed endpoints of KubeEdge and their connection to sensitive components of the architecture. The threat model is included in the report and is helpful for users of KubeEdge as well as security researchers who want to look for security flaws in KubeEdge. The KubeEdge team has designed a security best-practices for users based on the threat model which can be found here: . Next, we performed a manual code review of KubeEdge to look for security-critical issues. The threat model guided this work and allowed us to focus on the most critical parts of the code base. This part of the audit exposed 12 security-relevant of which 6 were assigned CVEs. Next, we integrated continuous fuzzing into KubeEdge by way of OSS-Fuzz and wrote 10 fuzzers. KubeEdges fuzzing integration also includes CIFuzz which triggers short run fuzz runs in the CI when pull requests are made. Finally, Ada Logics carried out a SLSA audit of KubeEdge. The fuzzers found 2 issues which were assigned CVEs. SLSA is a security framework to prevent tampering and improve integrity of software artifacts. It is still in Alpha, and KubeEdge is one of the earliest adopters of the framework.
The audit resulted in 12 ranging from informational to moderate in severity. The KubeEdge security team has triaged and patched all issues. They found that denial-of-service attacks could be launched against KubeEdge by exploiting several of the issues found, and 8 CVE’s were assigned. The CVEs are all moderate in severity: