0001.md

Lack of websocket authentication in Lens causes remote code execution when visiting a malicious website

Release Date

2021/11/17

Overview

Linux users running Lens could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim's browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user.

To exploit

1. Lens needs to be running on Linux
2. The attacker needs to know the cluster ID of at least one of the victim's clusters
3. The victim needs to visit a malicious site

https://github.com/lensapp/lens/security/advisories/GHSA-x8mv-qr7w-4fm9

Affected Products

Lens 5.2.6 or earlier running on Linux

Unaffected Products

Lens running on Mac or Windows

Vulnerability Information

CVE Identifier

CVE-2021-44458

CVSSv3.1

8.3 High CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWEs

CWE-287

Mitigations

None

Work arounds

None

Acknowledgements

Found by Mirantis PSIRT

Disclosure Timeline

2021/11/17: Public disclosure

2021/11/10: 5.2.7 with fixes published

2021/11/8: PSIRT reported vulnerability to the Lens team