Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice of Kubernetes kube-apiserver Input Verification Vulnerability (CVE-2020-8559)
Updated on 2024-08-17 GMT+08:00

Notice of Kubernetes kube-apiserver Input Verification Vulnerability (CVE-2020-8559)

Description

Kubernetes disclosed a security vulnerability in kube-apiserver. An attacker can intercept certain upgrade requests sent to kubelet of a node and forward the requests to other target nodes using the original access credentials in the requests. This can lead permission escalation. This section describes the affected versions, impact, and preventive measures of the vulnerability.

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Others

CVE-2020-8559

Medium

2020-07-15

Impact

The kube-apiserver component allows the proxied backends to send upgrade requests back to the original client. An attacker can intercept certain upgrade requests sent to kubelet of a node and forward the requests to other target nodes using the original access credentials in the requests. This can lead permission escalation. This vulnerability received a CVSS rating of 6.4 (Medium).

If multiple clusters share the same CA and authentication credential, this vulnerability may allow an attacker to attack other clusters. In this case, this vulnerability should be considered High severity.

In the cross-cluster scenarios, each CCE cluster uses an independently issued CA and authentication credentials of different clusters are isolated from each other. The cross-cluster scenarios are not affected by this vulnerability.

All kube-apiserver components from v1.6.0 to the following fixed versions are affected by this vulnerability:

  • kube-apiserver v1.18.6
  • kube-apiserver v1.17.9
  • kube-apiserver v1.16.13

The following application scenarios are also affected by this vulnerability:

  • A cluster is shared by multiple tenants and nodes are used as security boundaries for tenant isolation.
  • Clusters share certificate authorities (CAs) and authentication credentials.

Solution

You are advised to take the following security measures to prevent cross-node attacks in a cluster:

  • Keep authentication credentials secure.
  • Follow the principle of the least privilege when granting permissions to IAM users. Use RBAC policies to restrict the access to the pods/exec, pods/attach, pods/portforward, and proxy resources.