Bug 1185502 - (CVE-2020-8562) VUL-1: CVE-2020-8562: kubernetes: Bypass of Kubernetes API Server proxy TOCTOU
(CVE-2020-8562)
VUL-1: CVE-2020-8562: kubernetes: Bypass of Kubernetes API Server proxy TOCTOU
Status: REOPENED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Richard Brown
Security Team bot
CVSSv3.1:SUSE:CVE-2020-8562:2.2:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-30 13:19 UTC by Robert Frohl
Modified: 2021-10-14 09:12 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Robert Frohl 2021-05-07 13:50:50 UTC
oss-security:

Hello Kubernetes Community,

 

A security issue was discovered in Kubernetes where an authorized user may be able to access private networks on the Kubernetes control plane components. Kubernetes clusters are only affected if an untrusted user can create or modify Node objects and proxy to them, or an untrusted user can create or modify StorageClass objects and access KubeControllerManager logs. 

 

This issue has been rated Low (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N) and assigned CVE-2020-8562.

 

As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.

 

Am I vulnerable?

 

Kubernetes clusters are only affected if an untrusted user can create or modify Node objects and proxy to them, or an untrusted user can create or modify StorageClass objects and access KubeControllerManager logs.

 

Affected Versions:

 
Kubernetes <= v1.21.0
Kubernetes <= v1.20.6
Kubernetes <= v1.19.10
Kubernetes <= v1.18.18
 

How do I mitigate this vulnerability?

 

If this issue affects your clusters’ control planes, you can use dnsmasq for name resolution and configure the min-cache-ttl and neg-ttl parameters to a low non-zero value to enforce cached replies for proxied connections

 

Detection

 

This issue is not known to be directly detectable, but proxied calls will appear in the Kubernetes API Audit log. Kubernetes will respond with “address not allowed” when the validation successfully prevents a connection.

 

Additional Details

 See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/101493

 

Acknowledgements

This vulnerability was reported by Javier Provecho (Telefonica).

 

Thank you,

Micah Hausler on behalf of the Kubernetes Product Security Committee
Comment 5 Robert Frohl 2021-05-07 13:51:57 UTC
rating to low, won't be fixed in CaaSP
Comment 6 Robert Frohl 2021-05-07 13:54:17 UTC
@Rich: not sure if openSUSE might want this fixed