Notice on the Docker Engine Input Verification Vulnerability (CVE-2020-13401)

Description

IPv6 address dynamic allocation can be implemented through Dynamic Host Configuration Protocol (DHCP) or Router Advertisement. This causes the CVE-2020-13401 vulnerability. Router Advertisement allows the router to periodically notify nodes of the network status, including routing records. The client configures the network through Neighbor Discovery Protocol (NDP). This section describes the impacts of the vulnerability.

Impact

Nodes on which IPv6 is enabled and the Container Network Interface (CNI) plug-in version is earlier than v0.8.6

A malicious attacker can tamper with the IPv6 routing records of other containers on the host or the host itself to initiate a man-in-the-middle attack. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to use the IPv6 record for connections first then fall back to the IPv4 record, giving an opportunity to the attacker to respond. This vulnerability received a CVSS rating of 6.0 (Medium).

Kubernetes is not affected by this vulnerability. However, the CNI plug-in (see https://github.com/containernetworking/plugins/pull/484 for details) used by Kubernetes is affected. The following kubelet versions involve the affected CNI plug-in:

• kubelet v1.18.0 to v1.18.3
• kubelet v1.17.0 to v1.17.6
• kubelet < v1.16.11

Solution

• Change the value of the host kernel parameter net.ipv6.conf.all.accept_ra to 0 to reject IPv6 route advertisements.
• Use service containers together with TLS and proper certificate verification to prevent man-in-the-middle spoofing.
• Do not set the CAP_NET_RAW capability in pods to prevent malicious containers from tampering with IPv6 routes.

  securityContext:
        capabilities:
          drop: ["NET_RAW"]