Skip to content

CWE-295: TLS verification disabled in K8s strategy fallback — verify_none when ca.crt missing, Bearer token exposed #214

Description

@LeoWSY-hashblue

Summary

The Kubernetes clustering strategy's get_ssl_opts/1 function falls back to verify: :verify_none when the service account's ca.crt file is missing. This means K8s API Bearer tokens are transmitted over TLS connections that accept any certificate.

Vulnerable Code (lib/strategy/kubernetes.ex:323-337)

defp get_ssl_opts(service_account_path) do
  path = Path.join(service_account_path, "ca.crt")
  case File.exists?(path) do
    true  -> [verify: :verify_peer, cacertfile: String.to_charlist(path)]
    false -> [verify: :verify_none]    # ← DANGEROUS FALLBACK
  end
end

Credential Flow

  • verify: :verify_none is passed as SSL options to :httpc.request()
  • The K8s service account Bearer token is sent via Authorization: Bearer {token} header
  • All K8s API responses (pod lists, ConfigMaps, Secrets) transit over unverified TLS

Impact

MITM attacker can capture the K8s service account token, gaining API access within the cluster — pod enumeration, ConfigMap/Secret access, lateral movement.

Fix

Never fall back to verify_none. Use system CA store instead:

false -> [verify: :verify_peer]  # Use system CA, don't disable verification

Severity

CVSS 7.4 (HIGH) — CWE-295: Improper Certificate Validation

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions