Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack #102106

Closed
cjcullen opened this issue May 18, 2021 · 4 comments
Closed
Labels
official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)

Comments

@cjcullen
Copy link
Member

Issue Details

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
This issue has been rated Low (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N), and assigned CVE-2021-25737.
Affected Component
kube-apiserver

Affected Versions

v1.21.0
v1.20.0 - v1.20.6
v1.19.0 - v1.19.10
v1.16.0 - v1.18.18 (Note: EndpointSlices were not enabled by default in 1.16-1.18)

Fixed Versions

This issue is fixed in the following versions:
v1.21.1
v1.20.7
v1.19.11
v1.18.19

Mitigation

To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.

Detection

To detect whether this vulnerability has been exploited, you can list EndpointSlices and check for endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported by John Howard of Google.

@cjcullen cjcullen added the kind/bug Categorizes issue or PR as related to a bug. label May 18, 2021
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 18, 2021
@cjcullen cjcullen removed kind/bug Categorizes issue or PR as related to a bug. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 18, 2021
@kubernetes kubernetes deleted a comment from k8s-ci-robot May 18, 2021
@kubernetes kubernetes deleted a comment from k8s-ci-robot May 18, 2021
@cjcullen
Copy link
Member Author

This was fixed by #101084

@dims
Copy link
Member

dims commented May 18, 2021

i was just about to link... thanks @cjcullen !

@yuvalavra
Copy link

@PushkarJ hi, can you please label with offical-cve-feed

@PushkarJ
Copy link
Member

/label official-cve-feed

(Related to kubernetes/sig-security#1)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
Projects
None yet
Development

No branches or pull requests

5 participants