Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAEftUapuB4c4Le_iJm-w3R9kceNuaE2uALmXE=sWABNZcKFC2Q@mail.gmail.com>
Date: Wed, 8 Jul 2020 10:00:00 -0600
From: Joel Smith <joelsmith@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [Security Advisory] CVE-2020-8558: Kubernetes: Node setting allows
 for neighboring hosts to bypass localhost boundary

Hello Open Source Community,

A security issue was discovered in kube-proxy which allows adjacent hosts
(hosts running in the same LAN or layer 2 domain) to reach TCP and UDP
services on the node(s) which are bound to 127.0.0.1. For example, if a
cluster administrator runs a TCP service that listens on 127.0.0.1:1234,
because of this bug, that service would be potentially reachable by other
hosts on the same LAN as the node, or by containers running on the same
node as the service. If the example service on port 1234 required no
additional authentication (because it assumed that only other localhost
processes could reach it), then it could be vulnerable to attacks that make
use of this bug.

The Kubernetes API Server's default insecure port setting causes the API
server to listen on 127.0.0.1:8080 where it will accept requests without
authentication. Many Kubernetes installers explicitly disable the API
Server's insecure port, but in clusters where it is not disabled, an
attacker with access to another system on the same LAN or with control of a
container running on the master may be able to reach the API server and
execute arbitrary API requests on the cluster. This port is deprecated, and
will be removed in Kubernetes v1.20.

This issue has been rated medium (*CVSS
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>:3.1/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>AV
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>A
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>AC
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>L
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>PR
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>N
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>UI
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>N
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>S
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>U
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>C
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>L
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>I
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>L
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>A
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>N
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>*),
and assigned CVE-2020-8558.

In clusters where the API Server insecure port is not disabled, this issue
has been rated high (*CVSS
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>:3.1/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>AV
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>A
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>AC
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>L
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>PR
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>N
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>UI
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>N
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>S
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>U
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>C
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>H
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>I
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>H
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>/
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>A
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>:
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>H
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>*
).
*Am I vulnerable?*

You may be vulnerable if:

   -

   You are running a vulnerable version (see below)
   -

   Your cluster nodes run in an environment where untrusted hosts share the
   same layer 2 domain (i.e. same LAN) as nodes
   -

   Your cluster allows untrusted pods to run containers with CAP_NET_RAW
   (the Kubernetes default is to allow this capability).
   -

   Your nodes (or hostnetwork pods) run any localhost-only services which
   do not require any further authentication. To list services that are
   potentially affected, run the following commands on nodes:
   -

      lsof +c 15 -P -n -i4TCP@....0.0.1 -sTCP:LISTEN
      -

      lsof +c 15 -P -n -i4UDP@....0.0.1

On a master node, an lsof entry like this indicates that the API server may
be listening with an insecure port:

COMMAND        PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

kube-apiserver 123 root 7u IPv4  26799      0t0  TCP 127.0.0.1:8080 (LISTEN)
*Affected Versions*

   -

   kube-proxy v1.18.0-1.18.3
   -

   kube-proxy v1.17.0-1.17.6
   -

   kube-proxy <1.16.10

*How do I mitigate this vulnerability?*

Prior to upgrading, this vulnerability can be mitigated by manually adding
an iptables rule on nodes. This rule will reject traffic to 127.0.0.1 which
does not originate on the node.

iptables -I INPUT --dst 127.0.0.0/8 ! --src 127.0.0.0/8 \

-m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP

Additionally, if your cluster does not already have the API Server insecure
port disabled, we strongly suggest that you disable it. Add the following
flag to your kubernetes API server command line: --insecure-port=0
*Detection*

Packets on the wire with an IPv4 destination in the range 127.0.0.0/8 and a
layer-2 destination MAC address of a node may indicate that an attack is
targeting this vulnerability.
*Fixed Versions*

   -

   kube-proxy v1.19.0+ (not yet released)
   -

   kube-proxy v1.18.4+
   -

   kube-proxy v1.17.7+
   -

   kube-proxy v1.16.11+

To upgrade, refer to the documentation: *https
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>://
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>kubernetes
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>.
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>io
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>/
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>docs
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>/
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>tasks
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>/
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>administer
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>-
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>cluster
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>/
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>cluster
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>-
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>management
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>/#
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>upgrading
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>-
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>a
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>-
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>cluster
<https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster>*
*Additional Details*

See the GitHub issue for more details: *https
<https://github.com/kubernetes/kubernetes/issues/92315>://
<https://github.com/kubernetes/kubernetes/issues/92315>github
<https://github.com/kubernetes/kubernetes/issues/92315>.
<https://github.com/kubernetes/kubernetes/issues/92315>com
<https://github.com/kubernetes/kubernetes/issues/92315>/
<https://github.com/kubernetes/kubernetes/issues/92315>kubernetes
<https://github.com/kubernetes/kubernetes/issues/92315>/
<https://github.com/kubernetes/kubernetes/issues/92315>kubernetes
<https://github.com/kubernetes/kubernetes/issues/92315>/
<https://github.com/kubernetes/kubernetes/issues/92315>issues
<https://github.com/kubernetes/kubernetes/issues/92315>/92315
<https://github.com/kubernetes/kubernetes/issues/92315>*
*Acknowledgements*

This vulnerability was reported by János Kövér, Ericsson with additional
impacts reported by Rory McCune, NCC Group and Yuval Avrahami and Ariel
Zelivansky, Palo Alto Networks.

Thank You,

Joel Smith on behalf of the Kubernetes Product Security Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.