fix: resolved severity discrepancy between kube-hunter report and docs for khv043 (#551)

Fixes #545

.github/workflows/publish.yml

@@ -39,7 +39,7 @@ jobs:
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
       - name: Get version
         id: get_version
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: crazy-max/ghaction-docker-meta@v3
         with:
           images: ${{ env.REP }}
           tag-semver: |

README.md

@@ -1,18 +1,7 @@
-![kube-hunter](https://github.com/aquasecurity/kube-hunter/blob/main/kube-hunter.png)
+## Notice
+kube-hunter is not under active development anymore. If you're interested in scanning Kubernetes clusters for known vulnerabilities, we recommend using [Trivy](https://github.com/aquasecurity/trivy). Specifically, Trivy's Kubernetes [misconfiguration scanning](https://blog.aquasec.com/trivy-kubernetes-cis-benchmark-scanning) and [KBOM vulnerability scanning](https://blog.aquasec.com/scanning-kbom-for-vulnerabilities-with-trivy). Learn more in the [Trivy Docs](https://aquasecurity.github.io/trivy/).
 
-[![GitHub Release][release-img]][release]
-![Downloads][download]
-![Docker Pulls][docker-pull]
-[![Build Status](https://github.com/aquasecurity/kube-hunter/workflows/Test/badge.svg)](https://github.com/aquasecurity/kube-hunter/actions)
-[![codecov](https://codecov.io/gh/aquasecurity/kube-hunter/branch/main/graph/badge.svg)](https://codecov.io/gh/aquasecurity/kube-hunter)
-[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
-[![License](https://img.shields.io/github/license/aquasecurity/kube-hunter)](https://github.com/aquasecurity/kube-hunter/blob/main/LICENSE)
-[![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-hunter.svg)](https://microbadger.com/images/aquasec/kube-hunter "Get your own image badge on microbadger.com")
-
-[download]: https://img.shields.io/github/downloads/aquasecurity/kube-hunter/total?logo=github
-[release-img]: https://img.shields.io/github/release/aquasecurity/kube-hunter.svg?logo=github
-[release]: https://github.com/aquasecurity/kube-hunter/releases
-[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-hunter?logo=docker&label=docker%20pulls%20%2F%20kube-hunter
+---
 
 kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. **You should NOT run kube-hunter on a Kubernetes cluster that you don't own!**
 
@@ -21,12 +10,9 @@ kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was d
 **Explore vulnerabilities**: The kube-hunter knowledge base includes articles about discoverable vulnerabilities and issues. When kube-hunter reports an issue, it will show its VID (Vulnerability ID) so you can look it up in the KB at https://aquasecurity.github.io/kube-hunter/  
 _If you're interested in kube-hunter's integration with the Kubernetes ATT&CK Matrix [Continue Reading](#kuberentes-attck-matrix)_
 
-**Contribute**: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your modules please read [Guidelines For Developing Your First kube-hunter Module](https://github.com/aquasecurity/kube-hunter/blob/main/CONTRIBUTING.md).
+[kube-hunter demo video](https://youtu.be/s2-6rTkH8a8?t=57s)
 
-[![kube-hunter demo video](https://github.com/aquasecurity/kube-hunter/blob/main/kube-hunter-screenshot.png)](https://youtu.be/s2-6rTkH8a8?t=57s)
-
-Table of Contents
-=================
+## Table of Contents
 
 - [Table of Contents](#table-of-contents)
   - [Kubernetes ATT&CK Matrix](#kubernetes-attck-matrix)
@@ -52,7 +38,6 @@ Table of Contents
   - [Contribution](#contribution)
   - [License](#license)
 
----
 ## Kubernetes ATT&CK Matrix
 
 kube-hunter now supports the new format of the Kubernetes ATT&CK matrix.

docs/_kb/KHV002.md

@@ -2,7 +2,7 @@
 vid: KHV002
 title: Kubernetes version disclosure
 categories: [Information Disclosure]
-severity: low
+severity: high
 ---
 
 # {{ page.vid }} - {{ page.title }}

docs/_kb/KHV036.md

@@ -2,7 +2,7 @@
 vid: KHV036
 title: Anonymous Authentication
 categories: [Remote Code Execution]
-severity: critical
+severity: high
 ---
 
 # {{ page.vid }} - {{ page.title }}

docs/_kb/KHV043.md

@@ -2,7 +2,7 @@
 vid: KHV043
 title: Cluster Health Disclosure
 categories: [Information Disclosure]
-severity: high
+severity: low
 ---
 
 # {{ page.vid }} - {{ page.title }}

docs/_kb/KHV052.md

@@ -2,7 +2,7 @@
 vid: KHV052
 title: Exposed Pods
 categories: [Information Disclosure]
-severity: high
+severity: medium
 ---
 
 # {{ page.vid }} - {{ page.title }}

job.yaml

@@ -5,11 +5,13 @@ metadata:
   name: kube-hunter
 spec:
   template:
+    metadata:
+      labels:
+        app: kube-hunter
     spec:
       containers:
         - name: kube-hunter
-          image: aquasec/kube-hunter
+          image: aquasec/kube-hunter:0.6.8
           command: ["kube-hunter"]
           args: ["--pod"]
       restartPolicy: Never
-  backoffLimit: 4

kube_hunter/README.md

@@ -76,7 +76,7 @@ in order to prevent circular dependency bug.
 Following the above example, let's figure out the imports:  
 ```python  
 from kube_hunter.core.types import Hunter  
-from kube_hunter.core.events import handler  
+from kube_hunter.core.events.event_handler import handler  
   
 from kube_hunter.core.events.types import OpenPortEvent  
   
@@ -206,7 +206,7 @@ __Make sure to return the event from the execute method, or the event will not g
  
 For example, if you don't want to hunt services found on a localhost IP, you can create the following module, in the `kube_hunter/modules/report/`
 ```python
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Service, EventFilterBase
 
 @handler.subscribe(Service)
@@ -222,7 +222,7 @@ That means other Hunters that are subscribed to this Service will not get trigge
 That opens up a wide variety of possible operations, as this not only can __filter out__ events, but you can actually __change event attributes__, for example:
 
 ```python
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.types import InformationDisclosure
 from kube_hunter.core.events.types import Vulnerability, EventFilterBase
 

kube_hunter/__main__.py

@@ -39,7 +39,7 @@ set_config(config)
 # Running all other registered plugins before execution
 pm.hook.load_plugin(args=args)
 
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import HuntFinished, HuntStarted
 from kube_hunter.modules.discovery.hosts import RunningAsPodEvent, HostScanEvent
 from kube_hunter.modules.report import get_reporter, get_dispatcher

kube_hunter/core/events/__init__.py

@@ -1,3 +1,2 @@
 # flake8: noqa: E402
-from .handler import EventQueue, handler
 from . import types

kube_hunter/core/types/hunters.py

@@ -19,7 +19,7 @@ class HunterBase:
     def publish_event(self, event):
         # Import here to avoid circular import from events package.
         # imports are cached in python so this should not affect runtime
-        from ..events import handler  # noqa
+        from ..events.event_handler import handler  # noqa
 
         handler.publish_event(event, caller=self)
 

kube_hunter/modules/discovery/apiserver.py

@@ -2,7 +2,7 @@ import logging
 import requests
 
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import OpenPortEvent, Service, Event, EventFilterBase
 
 from kube_hunter.conf import get_config

kube_hunter/modules/discovery/dashboard.py

@@ -3,7 +3,7 @@ import logging
 import requests
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, OpenPortEvent, Service
 from kube_hunter.core.types import Discovery
 

kube_hunter/modules/discovery/etcd.py

@@ -1,4 +1,4 @@
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, OpenPortEvent, Service
 from kube_hunter.core.types import Discovery
 

kube_hunter/modules/discovery/hosts.py

@@ -1,15 +1,17 @@
+import json
 import os
+import sys
+import socket
 import logging
 import itertools
 import requests
 
 from enum import Enum
 from netaddr import IPNetwork, IPAddress, AddrFormatError
-from netifaces import AF_INET, ifaddresses, interfaces, gateways
 
 from kube_hunter.conf import get_config
 from kube_hunter.modules.discovery.kubernetes_client import list_all_k8s_cluster_nodes
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, NewHostEvent, Vulnerability
 from kube_hunter.core.types import Discovery, AWS, Azure, InstanceMetadataApiTechnique
 
@@ -137,7 +139,9 @@ class FromPodHostDiscovery(Discovery):
             elif self.is_aws_pod_v2():
                 subnets, cloud = self.aws_metadata_v2_discovery()
 
-            subnets += self.gateway_discovery()
+            gateway_subnet = self.gateway_discovery()
+            if gateway_subnet:
+                subnets.append(gateway_subnet)
 
             should_scan_apiserver = False
             if self.event.kubeservicehost:
@@ -217,7 +221,26 @@ class FromPodHostDiscovery(Discovery):
     # for pod scanning
     def gateway_discovery(self):
         """Retrieving default gateway of pod, which is usually also a contact point with the host"""
-        return [[gateways()["default"][AF_INET][0], "24"]]
+        # read the default gateway directly from /proc
+        # netifaces currently does not have a maintainer. so we backported to linux support only for this cause.
+        # TODO: implement WMI queries for windows support
+        # https://stackoverflow.com/a/6556951
+        if sys.platform in ["linux", "linux2"]:
+            try:
+                from pyroute2 import IPDB
+
+                ip = IPDB()
+                gateway_ip = ip.routes["default"]["gateway"]
+                ip.release()
+                return [gateway_ip, "24"]
+            except Exception as x:
+                logging.debug(f"Exception while fetching default gateway from container - {x}")
+            finally:
+                ip.release()
+        else:
+            logging.debug("Not running in a linux env, will not scan default subnet")
+
+        return False
 
     # querying AWS's interface metadata api v1 | works only from a pod
     def aws_metadata_v1_discovery(self):
@@ -338,13 +361,62 @@ class HostDiscovery(Discovery):
 
     # generate all subnets from all internal network interfaces
     def generate_interfaces_subnet(self, sn="24"):
-        for ifaceName in interfaces():
-            for ip in [i["addr"] for i in ifaddresses(ifaceName).setdefault(AF_INET, [])]:
-                if not self.event.localhost and InterfaceTypes.LOCALHOST.value in ip.__str__():
+        if sys.platform == "win32":
+            return self.generate_interfaces_subnet_windows()
+        elif sys.platform in ["linux", "linux2"]:
+            return self.generate_interfaces_subnet_linux()
+
+    def generate_interfaces_subnet_linux(self, sn="24"):
+        try:
+            from pyroute2 import IPRoute
+
+            ip = IPRoute()
+            for i in ip.get_addr():
+                # whitelist only ipv4 ips
+                if i["family"] == socket.AF_INET:
+                    ipaddress = i[0].get_attr("IFA_ADDRESS")
+                    # TODO: add this instead of hardcoded 24 subnet, (add a flag for full scan option)
+                    # subnet = i['prefixlen']
+
+                    # unless specified explicitly with localhost scan flag, skip localhost ip addresses
+                    if not self.event.localhost and ipaddress.startswith(InterfaceTypes.LOCALHOST.value):
+                        continue
+
+                    ip_network = IPNetwork(f"{ipaddress}/{sn}")
+                    for ip in ip_network:
+                        yield ip
+        except Exception as x:
+            logging.debug(f"Exception while generating subnet scan from local interfaces: {x}")
+        finally:
+            ip.release()
+
+    def generate_interfaces_subnet_windows(self, sn="24"):
+        from subprocess import check_output
+
+        local_subnets = (
+            check_output(
+                "powershell -NoLogo -NoProfile -NonInteractive -ExecutionPolicy bypass -Command "
+                ' "& {'
+                "Get-NetIPConfiguration | Get-NetIPAddress | Where-Object {$_.AddressFamily -eq 'IPv4'}"
+                " | Select-Object -Property IPAddress, PrefixLength | ConvertTo-Json "
+                ' "}',
+                shell=True,
+            )
+            .decode()
+            .strip()
+        )
+        try:
+            subnets = json.loads(local_subnets)
+            for subnet in subnets:
+                if not self.event.localhost and subnet["IPAddress"].startswith(InterfaceTypes.LOCALHOST.value):
                     continue
-                for ip in IPNetwork(f"{ip}/{sn}"):
+                ip_network = IPNetwork(f"{subnet['IPAddress']}/{sn}")
+                for ip in ip_network:
                     yield ip
 
+        except Exception as x:
+            logging.debug(f"ERROR: Could not extract interface information using powershell - {x}")
+
 
 # for comparing prefixes
 class InterfaceTypes(Enum):

kube_hunter/modules/discovery/kubectl.py

@@ -2,7 +2,7 @@ import logging
 import subprocess
 
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import HuntStarted, Event
 
 logger = logging.getLogger(__name__)

kube_hunter/modules/discovery/kubelet.py

@@ -5,7 +5,7 @@ from enum import Enum
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import OpenPortEvent, Event, Service
 
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

kube_hunter/modules/discovery/ports.py

@@ -2,7 +2,7 @@ import logging
 from socket import socket
 
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import NewHostEvent, OpenPortEvent
 
 logger = logging.getLogger(__name__)

kube_hunter/modules/discovery/proxy.py

@@ -3,7 +3,7 @@ import requests
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Service, Event, OpenPortEvent
 
 logger = logging.getLogger(__name__)

kube_hunter/modules/hunting/aks.py

@@ -5,7 +5,7 @@ import requests
 
 from kube_hunter.conf import get_config
 from kube_hunter.modules.hunting.kubelet import ExposedPodsHandler, SecureKubeletPortHunter
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, Vulnerability
 from kube_hunter.core.types import Hunter, ActiveHunter, MountServicePrincipalTechnique, Azure
 

kube_hunter/modules/hunting/apiserver.py

@@ -5,7 +5,7 @@ import requests
 
 from kube_hunter.conf import get_config
 from kube_hunter.modules.discovery.apiserver import ApiServer
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event, K8sVersionDisclosure
 from kube_hunter.core.types import Hunter, ActiveHunter, KubernetesCluster
 from kube_hunter.core.types.vulnerabilities import (

kube_hunter/modules/hunting/capabilities.py

@@ -2,7 +2,7 @@ import socket
 import logging
 
 from kube_hunter.modules.discovery.hosts import RunningAsPodEvent
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, Vulnerability
 from kube_hunter.core.types import Hunter, ARPPoisoningTechnique, KubernetesCluster
 

kube_hunter/modules/hunting/certificates.py

@@ -4,7 +4,7 @@ import base64
 import re
 
 from kube_hunter.core.types import Hunter, KubernetesCluster, GeneralSensitiveInformationTechnique
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event, Service
 
 logger = logging.getLogger(__name__)

kube_hunter/modules/hunting/cves.py

@@ -2,7 +2,7 @@ import logging
 from packaging import version
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 from kube_hunter.core.events.types import K8sVersionDisclosure, Vulnerability, Event
 from kube_hunter.core.types import (

kube_hunter/modules/hunting/dashboard.py

@@ -4,7 +4,7 @@ import requests
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.types import Hunter, AccessK8sDashboardTechnique, KubernetesCluster
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event
 from kube_hunter.modules.discovery.dashboard import KubeDashboardEvent
 

kube_hunter/modules/hunting/etcd.py

@@ -2,7 +2,7 @@ import logging
 import requests
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event, OpenPortEvent
 from kube_hunter.core.types import (
     ActiveHunter,

kube_hunter/modules/hunting/kubelet.py

@@ -9,7 +9,7 @@ import urllib3
 import uuid
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event, K8sVersionDisclosure
 from kube_hunter.core.types import (
     Hunter,

kube_hunter/modules/hunting/mounts.py

@@ -3,7 +3,7 @@ import re
 import uuid
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, Vulnerability
 from kube_hunter.core.types import ActiveHunter, Hunter, KubernetesCluster, HostPathMountPrivilegeEscalationTechnique
 from kube_hunter.modules.hunting.kubelet import (

kube_hunter/modules/hunting/proxy.py

@@ -4,7 +4,7 @@ import requests
 from enum import Enum
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, Vulnerability, K8sVersionDisclosure
 from kube_hunter.core.types import (
     ActiveHunter,

kube_hunter/modules/hunting/secrets.py

@@ -1,7 +1,7 @@
 import logging
 import os
 
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event
 from kube_hunter.core.types import Hunter, KubernetesCluster, AccessContainerServiceAccountTechnique
 from kube_hunter.modules.discovery.hosts import RunningAsPodEvent

kube_hunter/modules/report/collector.py

@@ -2,7 +2,7 @@ import logging
 import threading
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import (
     Event,
     Service,

setup.cfg

@@ -31,7 +31,7 @@ zip_safe = False
 packages = find:
 install_requires =
     netaddr
-    netifaces
+    pyroute2
     requests
     PrettyTable
     urllib3>=1.24.3

tests/core/test_handler.py

@@ -4,7 +4,7 @@ from kube_hunter.conf import Config, set_config, get_config
 
 set_config(Config(active=True))
 
-from kube_hunter.core.events.handler import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.modules.discovery.apiserver import ApiServiceDiscovery
 from kube_hunter.modules.discovery.dashboard import KubeDashboard as KubeDashboardDiscovery
 from kube_hunter.modules.discovery.etcd import EtcdRemoteAccess as EtcdRemoteAccessDiscovery

tests/core/test_subscribe.py

@@ -3,7 +3,7 @@ import time
 from kube_hunter.conf import Config, set_config
 from kube_hunter.core.types import Hunter
 from kube_hunter.core.events.types import Event, Service
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 counter = 0
 first_run = True

tests/discovery/test_apiserver.py

@@ -8,7 +8,7 @@ set_config(Config())
 
 from kube_hunter.modules.discovery.apiserver import ApiServer, ApiServiceDiscovery
 from kube_hunter.core.events.types import Event
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 counter = 0
 

tests/discovery/test_hosts.py

@@ -6,7 +6,7 @@ from kube_hunter.modules.discovery.hosts import (
     HostDiscoveryHelpers,
 )
 from kube_hunter.core.types import Hunter
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 import json
 import requests_mock
 import pytest

tests/hunting/test_apiserver_hunter.py

@@ -23,7 +23,7 @@ from kube_hunter.modules.hunting.apiserver import ApiServerPassiveHunterFinished
 from kube_hunter.modules.hunting.apiserver import CreateANamespace, DeleteANamespace
 from kube_hunter.modules.discovery.apiserver import ApiServer
 from kube_hunter.core.types import ExposedSensitiveInterfacesTechnique, AccessK8sApiServerTechnique
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 counter = 0
 

tests/hunting/test_certificates.py

@@ -5,7 +5,7 @@ set_config(Config())
 
 from kube_hunter.core.events.types import Event
 from kube_hunter.modules.hunting.certificates import CertificateDiscovery, CertificateEmail
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 
 def test_CertificateDiscovery():

tests/hunting/test_cvehunting.py

@@ -5,7 +5,7 @@ from kube_hunter.conf import Config, set_config
 
 set_config(Config())
 
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import K8sVersionDisclosure
 from kube_hunter.modules.hunting.cves import (
     K8sClusterCveHunter,

tests/hunting/test_kubelet.py

@@ -3,7 +3,7 @@ import requests_mock
 import urllib.parse
 import uuid
 
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.modules.hunting.kubelet import (
     AnonymousAuthEnabled,
     ExposedExistingPrivilegedContainersViaSecureKubeletPort,