Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CABdrxGC=YmZPJC9Vs3rYmFatqkmgkEULnnXq8_Ux5wZOD+EvsA@mail.gmail.com>
Date: Tue, 18 May 2021 12:28:20 -0700
From: CJ Cullen <cjcullen@...gle.com>
To: oss-security@...ts.openwall.com
Subject: [kubernetes] CVE-2021-25737: Holes in EndpointSlice Validation Enable
 Host Network Hijack

A security issue was discovered in Kubernetes where a user may be able to
redirect pod traffic to private networks on a Node. Kubernetes already
prevents creation of Endpoint IPs in the localhost or link-local range, but
the same validation was not performed on EndpointSlice IPs.

*This issue has been rated Low
(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N>),
and assigned CVE-2021-25737.*Affected Component

*kube-apiserver*Affected Versions


* - v1.21.0- v1.20.0 - v1.20.6- v1.19.0 - v1.19.10- v1.16.0 - v1.18.18
(Note: EndpointSlices were not enabled by default in 1.16-1.18)*Fixed
Versions



*This issue is fixed in the following versions: - v1.21.1- v1.20.7-
v1.19.11- v1.18.19*Mitigation

*To mitigate this vulnerability without upgrading kube-apiserver, you can
create a validating admission webhook that prevents EndpointSlices with
endpoint addresses in the 127.0.0.0/8 <http://127.0.0.0/8> and
169.254.0.0/16 <http://169.254.0.0/16> ranges. If you have an existing
admission policy mechanism (like OPA Gatekeeper) you can create a policy
that enforces this restriction.*Detection

*To detect whether this vulnerability has been exploited, you can list
EndpointSlices and check for endpoint addresses in the 127.0.0.0/8
<http://127.0.0.0/8> and 169.254.0.0/16 <http://169.254.0.0/16> ranges. If
you find evidence that this vulnerability has been exploited, please
contact security@...ernetes.io <security@...ernetes.io>*Additional Details

See Kubernetes Issue #102106
<https://github.com/kubernetes/kubernetes/issues/102106> for more details.
Acknowledgements

This vulnerability was reported by John Howard of Google.

Thank You,

CJ Cullen on behalf of the Kubernetes Product Security Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.