CVE-2020-8555: Half-Blind SSRF in kube-controller-manager

[tallclair]

CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

There exists a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

An attacker with permissions to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageOS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to make GET requests or POST requests without an attacker controlled request body from the master's host network.

Am I vulnerable?

You may be vulnerable if:

• You are running a vulnerable version (see below)
• There are unprotected endpoints normally only visible from the Kubernetes master (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the master's private network)
• Untrusted users can create pods with an affected volume type or modify storage classes.

Affected Versions

• kube-controller-manager v1.18.0
• kube-controller-manager v1.17.0 - v1.17.4
• kube-controller-manager v1.16.0 - v1.16.8
• kube-controller-manager <= v1.15.11

The affected volume types are: GlusterFS, Quobyte, StorageOS, ScaleIO

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy or third-party admission controller such as Gatekeeper) and restricting StorageClass write permissions through RBAC.

Fixed Versions

The information leak was patched in the following versions:

• kube-controller-manager master - fixed by Clean up event messages for errors. #89794
• kube-controller-manager v1.18.1+ - fixed by Automated cherry pick of #89794: Clean up event messages for errors. #89796
• kube-controller-manager v1.17.5+ - fixed by Automated cherry pick of #89794: Clean up event messages for errors. #89837
• kube-controller-manager v1.16.9+ - fixed by Automated cherry pick of #89794: Clean up event messages for errors. #89838
• kube-controller-manager v1.15.12+ - fixed by Automated cherry pick of #89794: Clean up event messages for errors. #89839

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Additional Details

Exploitation of this vulnerability causes the kube-controller-manager to make a request to a user-supplied, unvalidated URL. The request does not include any kube-controller-manager client credentials.

Acknowledgements

This vulnerability was reported by Brice Augras from Groupe-Asten and Christophe Hauquiert from Nokia.

/area security
/kind bug
/committee product-security
/sig storage
/area controller-manager

[humblec]

An attacker with permissions to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to

@tallclair it should be StorageOS instead of StorageFS

[tallclair]

Thanks for the correction. Fixed.

[misterikkit]

Only the GlusterFS fix remains. We need to update our dependencies to include heketi/heketi#1771, but that hasn't been tagged in a release as of yet.

[PushkarJ]

/label official-cve-feed

(Related to kubernetes/sig-security#1)