KubeEdge holistic security audit engagement

11th July, 2022
David Korczynski,
Security Research & Security Engineering
Adam Korczynski,
Security Engineering & Security Automation

Ada Logics has recently performed a security audit of KubeEdge. KubeEdge is an open source project that extends native containerized application orchestration and device management to hosts at the Edge. It is built upon Kubernetes and provides core infrastructure support for networking, application deployment and metadata synchronization between cloud and edge. KubeEdge was accepted to the CNCF in March 2019 and is currently at the incubating maturity level. The audit was sponsored by the CNCF and facilitated by OSTIF.

Goals of the audit

The security review had a holistic approach and had several high level goals. First, we formalised a threat model of KubeEdge, which identified the exposed endpoints of KubeEdge and their connection to sensitive components of the architecture. The threat model is included in the report and is helpful for users of KubeEdge as well as security researchers who want to look for security flaws in KubeEdge. The KubeEdge team has designed a security best-practices for users based on the threat model which can be found here: . Next, we performed a manual code review of KubeEdge to look for security-critical issues. The threat model guided this work and allowed us to focus on the most critical parts of the code base. This part of the audit exposed 12 security-relevant of which 6 were assigned CVEs. Next, we integrated continuous fuzzing into KubeEdge by way of OSS-Fuzz and wrote 10 fuzzers. KubeEdges fuzzing integration also includes CIFuzz which triggers short run fuzz runs in the CI when pull requests are made. Finally, Ada Logics carried out a SLSA audit of KubeEdge. The fuzzers found 2 issues which were assigned CVEs. SLSA is a security framework to prevent tampering and improve integrity of software artifacts. It is still in Alpha, and KubeEdge is one of the earliest adopters of the framework.

Security Findings

The audit resulted in 12 ranging from informational to moderate in severity. The KubeEdge security team has triaged and patched all issues. They found that denial-of-service attacks could be launched against KubeEdge by exploiting several of the issues found, and 8 CVE’s were assigned. The CVEs are all moderate in severity:

Websocket Client in package Viaduct: DoS from large response message
Cloud Stream and Edge Stream: DoS from large stream message
CloudCore Router: Large HTTP response can exhaust memory in REST handler
DoS when signing the CSR from EdgeCore
Cloud AdmissionController component: DoS by exhausting memory of node with http request containing large body
Edge ServiceBus module: DoS by exhausting memory of node with http request containing large body
CloudCore UDS Server: Malicious Message can crash CloudCore
CloudCore CSI Driver: Malicious response from KubeEdge can crash CSI Driver controller server