CVE-2020-13401 Vulnerability Notice
The Huawei Cloud CCI team fully noticed the Kubernetes security vulnerability CVE-2020-13401 on July 22. After detailed analysis, it is found that the vulnerability has no impact on users and CCI services, and does not need to be handled.
Vulnerability Details
Kubernetes officially released security vulnerability CVE-2020-13401, with CVSS rating of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L (6.0 Medium).
Vulnerability brief: IPv6 address dynamic allocation can be implemented through Dynamic Host Configuration Protocol (DHCP) or Router Advertisement. This causes the CVE-2020-13401 vulnerability. Router Advertisement allows the router to periodically notify nodes of the network status, including routing records. The client configures the network through Neighbor Discovery Protocol (NDP).
A malicious attacker can tamper with the IPv6 routing records of other containers on the host or the host itself to initiate a man-in-the-middle attack. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to use the IPv6 record for connections first then fall back to the IPv4 record, giving an opportunity to the attacker to respond.
Reference link: https://github.com/kubernetes/kubernetes/issues/91507
How Do I Determine Whether a Vulnerability Is Involved?
- kubelet v1.18.0–v1.18.3
- kubelet v1.17.0–v1.17.6
- kubelet versions earlier than v1.16.11
Vulnerability Analysis Results
The CCI service is not affected by this vulnerability. The reason is as follows:
CCI workloads are deployed on clusters of Kubernetes v1.15 that do not have IPv6 enabled. Therefore, CCI nodes will not be attacked.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
