CVE-2020-8554: Kubernetes man in the middle using LoadBalancer or ExternalIPs
First published: Fri Oct 23 2020(Updated: )
A flaw was found in kubernetes. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster.
Credit: jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/atomic-openshift | <0:3.11.374-1.git.0.ebd3ee9.el7 | 0:3.11.374-1.git.0.ebd3ee9.el7 |
| Kubernetes Kubernetes | ||
| Oracle Communications Cloud Native Core Network Slice Selection Function | =1.2.1 | |
| Oracle Communications Cloud Native Core Policy | =1.15.0 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 |
Remedy
ExternalIP addresses ranges can be configured as described below. OCP 4 is secure by default, though cluster-admins can whitelist externalIP addresses as needed. OCP 3.11 can be secured by changing `externalIPNetworkCIDR` to "0.0.0.0/32", which blocks all externalIP address values. https://docs.openshift.com/container-platform/4.6/networking/configuring_ingress_cluster_traffic/configuring-externalip.html https://docs.openshift.com/container-platform/3.11/admin_guide/tcp_ingress_external_ports.html#service-externalip Users can check if they have permission to patch the Status of a LoadBalancer Service with the command: `kubectl auth can-i patch service --subresource=status`. In OCP, by default only cluster-admins are granted this permission.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-8554 https://nvd.nist.gov/vuln/detail/CVE-2020-8554 https://blog.champtar.fr/K8S_MITM_LoadBalancer_ExternalIPs/ https://groups.google.com/g/kubernetes-security-announce/c/iZWsF9nbKE8
- https://bugzilla.redhat.com/show_bug.cgi?id=1891051
- https://access.redhat.com/errata/RHSA-2021:0079
- https://access.redhat.com/security/cve/cve-2020-8554
- https://github.com/kubernetes/kubernetes/issues/97076
- https://groups.google.com/g/kubernetes-security-announce/c/iZWsF9nbKE8
- https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6@%3Ccommits.druid.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://github.com/openshift/origin/commit/290ade01c6c27e835a2b9132fce839234fc4ea27
- https://docs.openshift.com/container-platform/4.6/networking/configuring_ingress_cluster_traffic/configuring-externalip.html
- https://docs.openshift.com/container-platform/3.11/admin_guide/tcp_ingress_external_ports.html#service-externalip
- https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_control_plane/templates/master.yaml.v1.j2#L139
- https://blog.champtar.fr/K8S_MITM_LoadBalancer_ExternalIPs/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1910192
- https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E
Frequently Asked Questions
What is the vulnerability ID for this flaw in Kubernetes?
The vulnerability ID is CVE-2020-8554.
What is the severity of CVE-2020-8554?
The severity of CVE-2020-8554 is medium (6.3).
How can an attacker exploit CVE-2020-8554?
An attacker can exploit CVE-2020-8554 by creating a ClusterIP service and setting the spec.externalIPs field to intercept traffic.
Which versions of Kubernetes are affected by CVE-2020-8554?
All versions of Kubernetes are affected by CVE-2020-8554.
Where can I find more information about CVE-2020-8554?
You can find more information about CVE-2020-8554 in the references provided.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-8554
- agent/author
- agent/weakness
- agent/severity
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/title
- agent/description
- agent/event
- agent/tags
- agent/source
- package-manager/redhat
- vendor/kubernetes
- canonical/kubernetes kubernetes
- vendor/oracle
- canonical/oracle communications cloud native core network slice selection function
- version/oracle communications cloud native core network slice selection function/1.2.1
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.15.0
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.14.0