CVE-2020-8562: Bypass of Kubernetes API Server proxy TOCTOU #101493
Labels
area/security
committee/security-response
Denotes an issue or PR intended to be handled by the product security committee.
kind/bug
Categorizes issue or PR as related to a bug.
lifecycle/frozen
Indicates that an issue or PR should not be auto-closed due to staleness.
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
CVSS Rating: Low (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)
A security issue was discovered in Kubernetes where an authorized user may be able to access private networks on the Kubernetes control plane components. Kubernetes clusters are only affected if an untrusted user can create or modify Node objects and proxy to them, or an untrusted user can create or modify StorageClass objects and access KubeControllerManager logs.
This issue has been rated Low (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N) and assigned CVE-2020-8562.
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
Affected Versions:
Kubernetes <= v1.21.0
Kubernetes <= v1.20.6
Kubernetes <= v1.19.10
Kubernetes <= v1.18.18
Fixed Versions
There is no fix for this issue at this time.
Mitigations
If this issue affects your clusters’ control planes, you can use dnsmasq for name resolution and configure the min-cache-ttl and neg-ttl parameters to a low non-zero value to enforce cached replies for proxied connections.
Detection
This issue is not known to be directly detectable, but proxied calls will appear in the Kubernetes API Audit log. Kubernetes will respond with “address not allowed” when the validation successfully prevents a connection.
Acknowledgements
This vulnerability was reported by Javier Provecho (Telefonica).
/area security
/kind bug
/committee product-security
/triage accepted
The text was updated successfully, but these errors were encountered: