[Security Advisory] CVE-2021-25736: Windows kube-proxy LoadBalancer contention

[Swamy Shivaganga Nagaraju]

Hello Kubernetes Community,

A security issue was discovered in the Windows version of kube-proxy where a process on a Node may be able to accept traffic intended for a LoadBalancer Service. Clusters without Windows nodes are unaffected. 

 

This issue has been rated Medium (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)), and assigned CVE-2021-25736.

 

Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected.

 

Affected Components and Configurations

Windows kube-proxy. Clusters with Windows nodes are affected by this vulnerability.

 

Affected Versions

• Kubernetes <= v1.20.5
• Kubernetes <= v1.19.9
• Kubernetes <= v1.18.17

 

Fixed Versions

This issue has been fixed in the following versions:

• v1.21.0
• v1.20.6
• v1.19.10
• v1.18.18

 

Mitigations

None

Detection

Unexpected processes listening on the same port as used by a LoadBalancer service could indicate exploitation of this issue, and should be investigated.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/pull/99958

Acknowledgements

This vulnerability was discovered by  Eric Paris & Christian Hernandez from Red Hat.

 

 

Thank You,

  Swamy Shivaganga Nagaraju, on behalf of the Kubernetes Product Security Committee