Описание
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
A flaw was found in kubernetes. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster.
Отчет
OpenShift Container Platform (OCP) includes a builtin externalIP admission plugin, which restricts the use of Service eternalIPs to those configured by a cluster-admin. In OCP4 all externalIP ranges are disabled by default. In OCP 3.11, the default range is "0.0.0.0/0", which allows all IP addresses. The second attack vector, via patching the Status of a LoadBalancer Service, is not possible unless permission to patch service/status is granted. OCP does not grant this permission to users who are not cluster-admins. OCP 4 is not affected by this vulnerability as it is secure by default. OCP 3.11 is affected, however the vulnerability can be by mitigated by configuring the builtin externalIP admission plugin.
Меры по смягчению последствий
ExternalIP addresses ranges can be configured as described below. OCP 4 is secure by default, though cluster-admins can whitelist externalIP addresses as needed. OCP 3.11 can be secured by changing externalIPNetworkCIDR to "0.0.0.0/32", which blocks all externalIP address values.
https://docs.openshift.com/container-platform/4.6/networking/configuring_ingress_cluster_traffic/configuring-externalip.html
https://docs.openshift.com/container-platform/3.11/admin_guide/tcp_ingress_external_ports.html#service-externalip
Users can check if they have permission to patch the Status of a LoadBalancer Service with the command: kubectl auth can-i patch service --subresource=status. In OCP, by default only cluster-admins are granted this permission.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift | Not affected | ||
| Red Hat Storage 3 | heketi | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Fixed | RHSA-2021:0079 | 20.01.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.3 Medium
CVSS3
Связанные уязвимости
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Kubernetes API server in all versions allow an attacker who is able to ...
EPSS
6.3 Medium
CVSS3