Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALXpagzJ3+xVHu8S+BSpKss7BtKe+hvAFe_wPyr46V4_CVn5Dw@mail.gmail.com>
Date: Mon, 7 Dec 2020 09:11:48 -0800
From: Tim Allclair <timallclair@...il.com>
To: oss-security@...ts.openwall.com
Subject: [kubernetes] CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs

A security issue was discovered with Kubernetes affecting multitenant
clusters. If a potential attacker can already create or edit services and
pods, then they may be able to intercept traffic from other pods (or nodes)
in the cluster.

This issue has been rated medium severity (
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L>),
and assigned CVE-2020-8554.

An attacker that is able to create a ClusterIP service and set the
spec.externalIPs field can intercept traffic to that IP. An attacker that
is able to patch the status (which is considered a privileged operation and
should not typically be granted to users) of a LoadBalancer service can set
the status.loadBalancer.ingress.ip to similar effect.

This issue is a design flaw that cannot be mitigated without user-facing
changes. With this public announcement, we can begin conversations about a
long-term fix.
Affected Components and Configurations

All Kubernetes versions are affected. Multi-tenant clusters that grant
tenants the ability to create and update services and pods are most
vulnerable.
Mitigations

There is no patch for this issue, and it can currently only be mitigated by
restricting access to the vulnerable features. Because an in-tree fix would
require a breaking change, we will open a conversation about a longer-term
fix or built-in mitigation after the embargo is lifted

To restrict the use of external IPs we are providing an admission webhook
container: k8s.gcr.io/multitenancy/externalip-webhook:v1.0.0. The source
code and deployment instructions are published at
https://github.com/kubernetes-sigs/externalip-webhook.

Alternatively, external IPs can be restricted using OPA Gatekeeper
<https://github.com/open-policy-agent/gatekeeper>. A sample
ConstraintTemplate and Constraint can be found here:
https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip
.

No mitigations are provided for LoadBalancer IPs since we do not recommend
granting users patch service/status permission. If LoadBalancer IP
restrictions are required, the approach for the external IP mitigations can
be copied.
Detection

ExternalIP services are not widely used, so we recommend manually auditing
any external IP usage. Users should not patch service status, so audit
events for patch service status requests authenticated to a user may be
suspicious.

If you find evidence that this vulnerability has been exploited, please
contact security@...ernetes.io
Additional Details

See the GitHub issue for more updates:
https://github.com/kubernetes/kubernetes/issues/97076
Acknowledgements

This vulnerability was reported by Etienne Champetier of Anevia.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee(

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.