Headline
CVE-2020-8555: [Security Advisory] CVE-2020-8555: Half-Blind SSRF in kube-controller-manager
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master’s host network (such as link-local or loopback services).
Tim Allclair
unread,
Jun 1, 2020, 6:05:28 PM6/1/20
to kubernete…@googlegroups.com, Kubernetes developer/contributor discussion, kubernetes-sec…@googlegroups.com, kubernetes-security-discuss, oss-se…@lists.openwall.com, kubernetes+a…@discoursemail.com
Hello Kubernetes Community,
There exists a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master’s host network (such as link-local or loopback services).
This issue has been rated medium (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N), and assigned CVE-2020-8555.
Am I vulnerable?
You may be vulnerable if:
You are running a vulnerable version (see below);
There are unprotected endpoints normally only visible from the Kubernetes master (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the master’s private network); and
Untrusted users can create pods with an affected volume type or modify storage classes.
Affected Versions
kube-controller-manager v1.18.0
kube-controller-manager v1.17.0 - v1.17.4
kube-controller-manager v1.16.0 - v1.16.8
kube-controller-manager < v1.15.11
The affected volume types are: GlusterFS, Quobyte, StorageFS, ScaleIO
How do I mitigate this vulnerability?
Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy or third-party admission controller such as Gatekeeper) and restricting StorageClass write permissions through RBAC.
Fixed Versions
The information leak was patched in the following versions:
kube-controller-manager v1.18.1+
kube-controller-manager v1.17.5+
kube-controller-manager v1.16.9+
kube-controller-manager v1.15.12+
To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Further work to protect against SSRF is underway and will be included in an upcoming patch release (details to follow).
Additional Details
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/91542
Thank You,
Tim Allclair on behalf of the Kubernetes Product Security Committee
Related news
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.