[Security Advisory] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack

644 views
Skip to first unread message

CJ Cullen

unread,
May 18, 2021, 3:15:18 PM5/18/21
to kubernete...@googlegroups.com, kubernetes-dev, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs. 

This issue has been rated Low (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N), and assigned CVE-2021-25737.

Affected Component

kube-apiserver

Affected Versions

  • v1.21.0

  • v1.20.0 - v1.20.6

  • v1.19.0 - v1.19.10

  • v1.16.0 - v1.18.18 (Note: EndpointSlices were not enabled by default in 1.16-1.18)

Fixed Versions

This issue is fixed in the following versions:

  • v1.21.1

  • v1.20.7

  • v1.19.11

  • v1.18.19

Mitigation

To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.

Detection

To detect whether this vulnerability has been exploited, you can list EndpointSlices and check for endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges.

 

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See Kubernetes Issue #102106 for more details.

Acknowledgements

This vulnerability was reported by John Howard of Google.


Thank You,

CJ Cullen on behalf of the Kubernetes Product Security Committee


Reply all
Reply to author
Forward
0 new messages