[Kubernetes] CVE-2021-25736: Windows kube-proxy LoadBalancer contention

[Swamy Shivaganga Nagaraju <gaswamy () microsoft com>]

Hello,

A security issue was discovered in the Windows version of kube-proxy where a process on a Node may be able to accept 
traffic intended for a LoadBalancer Service. Clusters without Windows nodes are unaffected.


This issue has been rated Medium 
(CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N>)),
 and assigned CVE-2021-25736.



Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port 
("spec.ports[*].port") as a LoadBalancer Service when the LoadBalancer controller does not set the 
"status.loadBalancer.ingress[].ip" field. Clusters where the LoadBalancer controller sets the 
"status.loadBalancer.ingress[].ip" field are unaffected.



Affected Components and Configurations

Windows kube-proxy. Clusters with Windows nodes are affected by this vulnerability.



Affected Versions

  *   Kubernetes <= v1.20.5
  *   Kubernetes <= v1.19.9
  *   Kubernetes <= v1.18.17



Fixed Versions

This issue has been fixed in the following versions:

  *   v1.21.0
  *   v1.20.6
  *   v1.19.10
  *   v1.18.18



Mitigations

None

Detection

Unexpected processes listening on the same port as used by a LoadBalancer service could indicate exploitation of this 
issue, and should be investigated.

If you find evidence that this vulnerability has been exploited, please contact security () kubernetes 
io<mailto:security () kubernetes io>

Additional Details
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/pull/99958

Acknowledgements

This vulnerability was discovered by  Eric Paris & Christian Hernandez from Red Hat.





Thank You,

  Swamy Shivaganga Nagaraju, on behalf of the Kubernetes Product Security Committee