[Security Advisory] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack
CJ Cullen
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.
This issue has been rated Low (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N), and assigned CVE-2021-25737.
Affected Component
kube-apiserver
Affected Versions
v1.21.0
v1.20.0 - v1.20.6
v1.19.0 - v1.19.10
v1.16.0 - v1.18.18 (Note: EndpointSlices were not enabled by default in 1.16-1.18)
v1.21.0
v1.20.0 - v1.20.6
v1.19.0 - v1.19.10
v1.16.0 - v1.18.18 (Note: EndpointSlices were not enabled by default in 1.16-1.18)
Fixed Versions
This issue is fixed in the following versions:
v1.21.1
v1.20.7
v1.19.11
v1.18.19
Mitigation
To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.
Detection
To detect whether this vulnerability has been exploited, you can list EndpointSlices and check for endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges.
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io