oss-sec mailing list archives
[Kubernetes] CVE-2021-25736: Windows kube-proxy LoadBalancer contention
From: Swamy Shivaganga Nagaraju <gaswamy () microsoft com>
Date: Tue, 11 May 2021 03:39:45 +0000
Hello, A security issue was discovered in the Windows version of kube-proxy where a process on a Node may be able to accept traffic intended for a LoadBalancer Service. Clusters without Windows nodes are unaffected. This issue has been rated Medium (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N>)), and assigned CVE-2021-25736. Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port ("spec.ports[*].port") as a LoadBalancer Service when the LoadBalancer controller does not set the "status.loadBalancer.ingress[].ip" field. Clusters where the LoadBalancer controller sets the "status.loadBalancer.ingress[].ip" field are unaffected. Affected Components and Configurations Windows kube-proxy. Clusters with Windows nodes are affected by this vulnerability. Affected Versions * Kubernetes <= v1.20.5 * Kubernetes <= v1.19.9 * Kubernetes <= v1.18.17 Fixed Versions This issue has been fixed in the following versions: * v1.21.0 * v1.20.6 * v1.19.10 * v1.18.18 Mitigations None Detection Unexpected processes listening on the same port as used by a LoadBalancer service could indicate exploitation of this issue, and should be investigated. If you find evidence that this vulnerability has been exploited, please contact security () kubernetes io<mailto:security () kubernetes io> Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/pull/99958 Acknowledgements This vulnerability was discovered by Eric Paris & Christian Hernandez from Red Hat. Thank You, Swamy Shivaganga Nagaraju, on behalf of the Kubernetes Product Security Committee
Current thread:
- [Kubernetes] CVE-2021-25736: Windows kube-proxy LoadBalancer contention Swamy Shivaganga Nagaraju (May 10)