'[oss-security] [kubernetes] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hi'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [kubernetes] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hi
From:       CJ Cullen <cjcullen () google ! com>
Date:       2021-05-18 19:28:20
Message-ID: CABdrxGC=YmZPJC9Vs3rYmFatqkmgkEULnnXq8_Ux5wZOD+EvsA () mail ! gmail ! com
[Download RAW message or body]


A security issue was discovered in Kubernetes where a user may be able to
redirect pod traffic to private networks on a Node. Kubernetes already
prevents creation of Endpoint IPs in the localhost or link-local range, but
the same validation was not performed on EndpointSlice IPs.

*This issue has been rated Low
(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N>),
and assigned CVE-2021-25737.*Affected Component

*kube-apiserver*Affected Versions


* - v1.21.0- v1.20.0 - v1.20.6- v1.19.0 - v1.19.10- v1.16.0 - v1.18.18
(Note: EndpointSlices were not enabled by default in 1.16-1.18)*Fixed
Versions



*This issue is fixed in the following versions: - v1.21.1- v1.20.7-
v1.19.11- v1.18.19*Mitigation

*To mitigate this vulnerability without upgrading kube-apiserver, you can
create a validating admission webhook that prevents EndpointSlices with
endpoint addresses in the 127.0.0.0/8 <http://127.0.0.0/8> and
169.254.0.0/16 <http://169.254.0.0/16> ranges. If you have an existing
admission policy mechanism (like OPA Gatekeeper) you can create a policy
that enforces this restriction.*Detection

*To detect whether this vulnerability has been exploited, you can list
EndpointSlices and check for endpoint addresses in the 127.0.0.0/8
<http://127.0.0.0/8> and 169.254.0.0/16 <http://169.254.0.0/16> ranges. If
you find evidence that this vulnerability has been exploited, please
contact security@kubernetes.io <security@kubernetes.io>*Additional Details

See Kubernetes Issue #102106
<https://github.com/kubernetes/kubernetes/issues/102106> for more details.
Acknowledgements

This vulnerability was reported by John Howard of Google.

Thank You,

CJ Cullen on behalf of the Kubernetes Product Security Committee


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic