-
Notifications
You must be signed in to change notification settings - Fork 40.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2020-10749: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements #91507
Comments
More information for the https://www.projectcalico.org/security-bulletins/ kubernetes/kubernetes#91507
More information for the https://www.projectcalico.org/security-bulletins/ kubernetes/kubernetes#91507
@joelsmith re: "How do I mitigate this vulnerability?" |
@gadinaor, you are right. When we propose mitigations in these advisories, some may not eliminate the issue. Some may only reduce the severity, as in the case of TLS verification. The best approach is to update the CNI plugin now to a version that is not affected. |
@joelsmith - thanks - I completely agree with you that updating the vulnerable components is the best approach - I believe that having a note/disclaimer that capture this limitation would help to prevent a false sense of security - I am thinking of Istio users with mTLS enabled that would think that their systems are not vulnerable and skip the update. |
Any relevant commit for the issue described in CVE-2020-13597? |
https://github.com/containernetworking/plugins/releases/tag/v0.8.6 kubernetes/kubernetes#91507 Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> (cherry picked from commit 41b4473)
https://github.com/containernetworking/plugins/releases/tag/v0.8.6 kubernetes/kubernetes#91507 Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> (cherry picked from commit 41b4473)
https://github.com/containernetworking/plugins/releases/tag/v0.8.6 kubernetes/kubernetes#91507 Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> (cherry picked from commit 41b4473)
https://github.com/containernetworking/plugins/releases/tag/v0.8.6 kubernetes/kubernetes#91507 Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> (cherry picked from commit 41b4473)
CVE-2020-13401 xref: kubernetes/kubernetes#91507 Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
More information for the https://www.projectcalico.org/security-bulletins/ kubernetes/kubernetes#91507 (cherry picked from commit 792da56)
More information for the https://www.projectcalico.org/security-bulletins/ kubernetes/kubernetes#91507 (cherry picked from commit 792da56)
More information for the https://www.projectcalico.org/security-bulletins/ kubernetes/kubernetes#91507 (cherry picked from commit 792da56)
More information for the https://www.projectcalico.org/security-bulletins/ kubernetes/kubernetes#91507 (cherry picked from commit 792da56)
More information for the https://www.projectcalico.org/security-bulletins/ kubernetes/kubernetes#91507 (cherry picked from commit 792da56)
/label official-cve-feed (Related to kubernetes/sig-security#1) |
/retitle CVE-2020-10749: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements |
Title change is in aid of kubernetes/sig-security#1 |
CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L (6.0 Medium)
A cluster configured to use an affected container networking implementation is susceptible to man-in-the-middle (MitM) attacks. By sending “rogue” router advertisements, a malicious container can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker-controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.
Am I vulnerable?
Kubernetes itself is not vulnerable. A Kubernetes cluster using an affected networking implementation is vulnerable.
Binary releases of the kubelet installed from upstream Kubernetes Community repositories hosted at https://packages.cloud.google.com/ may have also installed the
kubernetes-cni
package containing the containernetworking CNI plugins, which are affected by CVE-2020-10749.Affected Versions
The following official kubelet package versions have an affected
kubernetes-cni
package as a dependency:A cluster having an affected
kubernetes-cni
package installed is only affected if configured to use it.Third-party components and versions
Many container networking implementations are affected, including:
It is believed that the following are not affected:
Information about the vulnerability status of any plugins or implementations not listed above is currently unavailable. Please contact the provider directly with questions about their implementation.
How do I mitigate this vulnerability?
net.ipv6.conf.all.accept_ra
to 0.CAP_NET_RAW
for untrusted workloads or users. For example, a Pod Security Policy with aRequiredDropCapabilities
that includesNET_RAW
will prevent this attack for controlled workloads.Fixed Versions
The following packages will bundle fixed versions of the containernetworking CNI plugins that were formerly installed via the
kubernetes-cni
package.Because these versions are not yet available, cluster administrators using packages from the Kubernetes repositories may choose to manually upgrade CNI plugins by retrieving the relevant arch tarball from the containernetworking/plugins v0.8.6 release. The patch versions are expected to be released on June 17th, subject to change.
Additional Details
Detection
ip -6 route
but the same host with an attack in progress might show an updated default route or a route to the target address(es). Any IPv6 route with a destination interface of a host-side container network interface should be investigated.cbr0
which might normally have no IPv6 address, a dynamic-configured address on the interface may signal an attack in progress. Use this command to view interface addresses:ip a show dynamic cbr0
Affected configurations
CAP_NET_RAW privileges
. The default Kubernetes security context runs workloads with a capabilities bounding set that includesCAP_NET_RAW
.Vulnerability impact
CAP_NET_RAW
privileges on an affected cluster can intercept traffic from other containers on the host or from the host itself.Acknowledgements
This vulnerability was reported by Etienne Champetier (@champtar).
The issue was fixed by Casey Callendrello (@squeed) and maintainers of various container networking implementations. Updates to Kubernetes builds were coordinated by Stephen Augustus (@justaugustus) and Tim Pepper (@tpepper).
/area security
/kind bug
/committee product-security
/sig network
The text was updated successfully, but these errors were encountered: