CVE-2024-6535 is a vulnerability discovered in Skupper, an open-source project that facilitates secure communication between applications across multiple Kubernetes clusters. The issue occurs when Skupper is initialized with the console enabled and the console-auth parameter set to 'Openshift'. In this configuration, Skupper configures the Openshift oauth-proxy component with a static cookie-secret. Normally, oauth-proxy uses dynamically generated secrets to sign and validate authentication cookies, ensuring that only authorized users can access the console. However, the use of a static cookie-secret means that an attacker who can craft a cookie signed with this known secret can bypass the authentication mechanism entirely. This flaw effectively allows an unauthenticated attacker to gain unauthorized access to the Skupper console, which is a management interface for controlling and monitoring the Skupper network. The vulnerability has a CVSS v3.1 base score of 5.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) shows that the attack is network-based, requires no privileges or user interaction, and impacts integrity but not confidentiality or availability. No exploits have been reported in the wild to date. The vulnerability is particularly relevant for environments using Openshift as the authentication backend for Skupper consoles, which is common in enterprise Kubernetes deployments. Since the console can control network routing and connectivity between clusters, unauthorized access could allow attackers to manipulate network configurations or monitor traffic flows, potentially leading to further compromise within the environment.

For European organizations, the impact of CVE-2024-6535 can be significant in environments where Skupper is deployed with console authentication via Openshift. Unauthorized access to the Skupper console could allow attackers to alter network routing policies, potentially intercept or redirect sensitive inter-cluster communications, or disrupt multi-cluster application connectivity. Although the vulnerability does not directly expose confidential data or cause denial of service, the integrity compromise could facilitate lateral movement or espionage within cloud-native infrastructures. Organizations in sectors such as finance, telecommunications, and critical infrastructure that rely on Kubernetes and Openshift for multi-cluster deployments are particularly at risk. The risk is heightened in environments where strict network segmentation and access controls depend on Skupper’s console for management. Additionally, the ease of exploitation (no authentication or user interaction required) increases the threat level, especially in public-facing or poorly segmented networks. European companies adopting hybrid or multi-cloud strategies with Openshift clusters interconnected via Skupper should assess their exposure promptly to prevent unauthorized console access and potential downstream impacts.

To mitigate CVE-2024-6535, organizations should first verify if their Skupper deployments use the console-enabled feature with console-auth set to Openshift. If so, they should check for updates or patches from the Skupper or Openshift maintainers that address the static cookie-secret issue. In the absence of an official patch, administrators should consider disabling the console or switching to alternative authentication methods that do not rely on static secrets. Implementing network-level access controls to restrict access to the Skupper console to trusted IP ranges or VPNs can reduce exposure. Regularly auditing console access logs and monitoring for unusual authentication bypass attempts is recommended. Additionally, organizations should enforce strict RBAC policies within Openshift and Kubernetes to limit the potential impact of unauthorized console access. Employing runtime security tools to detect anomalous configuration changes or network routing modifications can provide early warning of exploitation attempts. Finally, educating DevOps and security teams about this vulnerability and integrating checks into CI/CD pipelines to prevent insecure configurations will help prevent recurrence.