Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[kubernetes] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack

Related Vulnerabilities: CVE-2021-25737  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[kubernetes] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: CJ Cullen &lt;cjcullen () google com&gt;

Date: Tue, 18 May 2021 12:28:20 -0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
A security issue was discovered in Kubernetes where a user may be able to
redirect pod traffic to private networks on a Node. Kubernetes already
prevents creation of Endpoint IPs in the localhost or link-local range, but
the same validation was not performed on EndpointSlice IPs.

*This issue has been rated Low
(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
&lt;https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N&gt;),
and assigned CVE-2021-25737.*Affected Component

*kube-apiserver*Affected Versions

* - v1.21.0- v1.20.0 - v1.20.6- v1.19.0 - v1.19.10- v1.16.0 - v1.18.18
(Note: EndpointSlices were not enabled by default in 1.16-1.18)*Fixed
Versions

*This issue is fixed in the following versions: - v1.21.1- v1.20.7-
v1.19.11- v1.18.19*Mitigation

*To mitigate this vulnerability without upgrading kube-apiserver, you can
create a validating admission webhook that prevents EndpointSlices with
endpoint addresses in the 127.0.0.0/8 &lt;http://127.0.0.0/8&gt; and
169.254.0.0/16 &lt;http://169.254.0.0/16&gt; ranges. If you have an existing
admission policy mechanism (like OPA Gatekeeper) you can create a policy
that enforces this restriction.*Detection

*To detect whether this vulnerability has been exploited, you can list
EndpointSlices and check for endpoint addresses in the 127.0.0.0/8
&lt;http://127.0.0.0/8&gt; and 169.254.0.0/16 &lt;http://169.254.0.0/16&gt; ranges. If
you find evidence that this vulnerability has been exploited, please
contact security () kubernetes io &lt;security () kubernetes io&gt;*Additional Details

See Kubernetes Issue #102106
&lt;https://github.com/kubernetes/kubernetes/issues/102106&gt; for more details.
Acknowledgements

This vulnerability was reported by John Howard of Google.

Thank You,

CJ Cullen on behalf of the Kubernetes Product Security Committee

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[kubernetes] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack CJ Cullen (May 18)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started