Skip to content

CVE-2020-8555: Half-Blind SSRF in kube-controller-manager #91542

Closed
Closed
CVE-2020-8555: Half-Blind SSRF in kube-controller-manager#91542
Labels
area/controller-managerarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/storageCategorizes an issue or PR as relevant to SIG Storage.
@tallclair

Description

@tallclair
tallclair
opened on May 28, 2020

CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

There exists a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

An attacker with permissions to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageOS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to make GET requests or POST requests without an attacker controlled request body from the master's host network.

Am I vulnerable?

You may be vulnerable if:

  • You are running a vulnerable version (see below)
  • There are unprotected endpoints normally only visible from the Kubernetes master (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the master's private network)
  • Untrusted users can create pods with an affected volume type or modify storage classes.

Affected Versions

  • kube-controller-manager v1.18.0
  • kube-controller-manager v1.17.0 - v1.17.4
  • kube-controller-manager v1.16.0 - v1.16.8
  • kube-controller-manager <= v1.15.11

The affected volume types are: GlusterFS, Quobyte, StorageOS, ScaleIO

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy or third-party admission controller such as Gatekeeper) and restricting StorageClass write permissions through RBAC.

Fixed Versions

The information leak was patched in the following versions:

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Additional Details

Exploitation of this vulnerability causes the kube-controller-manager to make a request to a user-supplied, unvalidated URL. The request does not include any kube-controller-manager client credentials.

Acknowledgements

This vulnerability was reported by Brice Augras from Groupe-Asten and Christophe Hauquiert from Nokia.

/area security
/kind bug
/committee product-security
/sig storage
/area controller-manager

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/controller-managerarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/storageCategorizes an issue or PR as relevant to SIG Storage.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions