Skip to content

Host operations allowed in privileged Longhorn managed pods

High
innobead published GHSA-g358-m2wp-mhhx Dec 17, 2021

Package

No package listed

Affected versions

< 1.1.3, < 1.2.3

Patched versions

1.1.3, 1.2.3

Description

Impact

The privileged pods are managed by Longhorn running on every node for volume replica management in a Kubernetes cluster. Each pod container runs as root and exposes a gRPC service on TCP port 8500. The service is accessible by any workload in the cluster without authentication. A malicious workload can take advantage of this service to execute any binary present in the image on the host.

Patches

This issue is fixed in 1.1.3 and 1.2.3.

Workarounds

There are no workarounds/mitigations. Please upgrade the Longhorn cluster to 1.1.3 or 1.2.3 to resolve the issue.

References

N/A

For more information

If you have any questions or comments about this advisory:

Impact

The Longhorn instance manager pods are responsible for volume replica management and access. The vulnerability issue is found that it is possible to connect to a longhorn-engine replica instance running in the instance-manager replica pod. The longhorn-engine replica can handle multiple TCP connections. Each connection is able to read and write data on the replica. It may allow other pods in the cluster to read and write data to and from a replica that the malicious pod doesn't have access to.

Patches

This issue is fixed in 1.1.3 and 1.2.3.

Workarounds

There are no workarounds/mitigations. Please upgrade the Longhorn cluster to 1.1.3 or 1.2.3 to resolve the issue.

For more information

If you have any questions or comments about this advisory:

Credits

Thanks to Dagan Henderson and Will Kline for reporting this vulnerability issue.

Severity

High
8.8
/ 10

CVSS base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE ID

CVE-2021-36779

Weaknesses

No CWEs

Credits