A high-severity security vulnerability in the Kyverno admission controller for container images could allow malicious actors to import a raft of nefarious code into cloud production environments.
The Kyverno admission controller offers a signature-verification mechanism designed to ensure that only signed, validated container images are being pulled into a given Kubernetes cluster. This can ward off any number of bad outcomes, given that boobytrapped container images can contain payloads as varied as cryptominers, rootkits, exploit kits for container escape and lateral movement, credential stealers, and more.
However, the bug (CVE-2022-47633) can be exploited to subvert that mechanism. “The vulnerability enables an attacker … to inject unsigned images into the protected cluster, bypassing the image verification policy,” explained researchers at ARMO, in a blog post on Dec. 21. The stakes are high: The attacker can effectively take control of a victim’s pod and use all of its…