The four identified vulnerabilities, rated with critical severity (CVSS 9.8), can easily be exploited by attackers with in-cluster access, putting organisations using Chaos Mesh, including those leveraging managed infrastructure like Azure Chaos Studio, at immediate risk. Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform’s fault injections (such as shutting down pods or disrupting network communications), and perform further malicious actions, including stealing privileged service account tokens.
“Platforms such as Chaos Mesh give, by design, complete control of the Kubernetes cluster to the platform,” said Shachar Menashe, VP Security Research at JFrog. “This flexibility can become a critical risk when vulnerabilities such as Chaotic Deputy are discovered. We recommend that Chaos Mesh users upgrade swiftly since these vulnerabilities are extremely easy to exploit and lead to total cluster takeover. We also want to offer our thanks to the Chaos Mesh maintainers for their rapid response and collaboration in addressing these critical security issues.”
The vulnerabilities stemmed from insufficient authentication mechanisms within the Chaos Controller Manager’s GraphQL server, enabling unauthenticated attackers to perform devastating commands, including arbitrary OS command injections and denial-of-service attacks, culminating in complete cluster takeover. Exploitation enables attackers to execute arbitrary code across any pod within the cluster, even when Chaos Mesh runs in its default configuration, allowing them to potentially exfiltrate sensitive data, disrupt critical services, or move laterally across the cluster to escalate privileges.
Chaos Mesh users can run the following shell command to check their vulnerability status:
kubectl get pods -A –selector app.kubernetes.io/name=chaos-mesh -o=jsonpath=”{range .items[*]}{.metadata.name}{‘: ‘}{range .spec.containers[*]}{.image}{‘, ‘}{end}{‘\n’}{end}”
If the returned Chaos Mesh image version is earlier than 2.7.3, the suggested remediation actions are recommended:
- Upgrade immediately to version 2.7.3 or later.
- If you cannot upgrade right away, restrict network traffic to the Chaos Mesh daemon and API server to reduce exposure.
- Avoid running Chaos Mesh in open or loosely secured environments, especially those accessible to potentially compromised workloads.
