oss-sec mailing list archives
[kubernetes] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack
From: CJ Cullen <cjcullen () google com>
Date: Tue, 18 May 2021 12:28:20 -0700
A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs. *This issue has been rated Low (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N <https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N>), and assigned CVE-2021-25737.*Affected Component *kube-apiserver*Affected Versions * - v1.21.0- v1.20.0 - v1.20.6- v1.19.0 - v1.19.10- v1.16.0 - v1.18.18 (Note: EndpointSlices were not enabled by default in 1.16-1.18)*Fixed Versions *This issue is fixed in the following versions: - v1.21.1- v1.20.7- v1.19.11- v1.18.19*Mitigation *To mitigate this vulnerability without upgrading kube-apiserver, you can create a validating admission webhook that prevents EndpointSlices with endpoint addresses in the 127.0.0.0/8 <http://127.0.0.0/8> and 169.254.0.0/16 <http://169.254.0.0/16> ranges. If you have an existing admission policy mechanism (like OPA Gatekeeper) you can create a policy that enforces this restriction.*Detection *To detect whether this vulnerability has been exploited, you can list EndpointSlices and check for endpoint addresses in the 127.0.0.0/8 <http://127.0.0.0/8> and 169.254.0.0/16 <http://169.254.0.0/16> ranges. If you find evidence that this vulnerability has been exploited, please contact security () kubernetes io <security () kubernetes io>*Additional Details See Kubernetes Issue #102106 <https://github.com/kubernetes/kubernetes/issues/102106> for more details. Acknowledgements This vulnerability was reported by John Howard of Google. Thank You, CJ Cullen on behalf of the Kubernetes Product Security Committee
Current thread:
- [kubernetes] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack CJ Cullen (May 18)