Notice of Kubernetes kube-apiserver Input Verification Vulnerability (CVE-2020-8559)
Description
Kubernetes disclosed a security vulnerability in kube-apiserver. An attacker can intercept certain upgrade requests sent to kubelet of a node and forward the requests to other target nodes using the original access credentials in the requests. This can lead permission escalation. This section describes the affected versions, impact, and preventive measures of the vulnerability.
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Others |
Medium |
2020-07-15 |
Impact
The kube-apiserver component allows the proxied backends to send upgrade requests back to the original client. An attacker can intercept certain upgrade requests sent to kubelet of a node and forward the requests to other target nodes using the original access credentials in the requests. This can lead permission escalation. This vulnerability received a CVSS rating of 6.4 (Medium).
If multiple clusters share the same CA and authentication credential, this vulnerability may allow an attacker to attack other clusters. In this case, this vulnerability should be considered High severity.
In the cross-cluster scenarios, each CCE cluster uses an independently issued CA and authentication credentials of different clusters are isolated from each other. The cross-cluster scenarios are not affected by this vulnerability.
All kube-apiserver components from v1.6.0 to the following fixed versions are affected by this vulnerability:
- kube-apiserver v1.18.6
- kube-apiserver v1.17.9
- kube-apiserver v1.16.13
The following application scenarios are also affected by this vulnerability:
- A cluster is shared by multiple tenants and nodes are used as security boundaries for tenant isolation.
- Clusters share certificate authorities (CAs) and authentication credentials.
Solution
You are advised to take the following security measures to prevent cross-node attacks in a cluster:
- Keep authentication credentials secure.
- Follow the principle of the least privilege when granting permissions to IAM users. Use RBAC policies to restrict the access to the pods/exec, pods/attach, pods/portforward, and proxy resources.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.