Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-8555: Half-Blind SSRF in kube-controller-manager #91542

Closed
tallclair opened this issue May 28, 2020 · 4 comments
Closed

CVE-2020-8555: Half-Blind SSRF in kube-controller-manager #91542

tallclair opened this issue May 28, 2020 · 4 comments
Labels
area/controller-manager area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/storage Categorizes an issue or PR as relevant to SIG Storage.

Comments

@tallclair
Copy link
Member

tallclair commented May 28, 2020
edited
Loading

CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

There exists a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

An attacker with permissions to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageOS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to make GET requests or POST requests without an attacker controlled request body from the master's host network.

Am I vulnerable?

You may be vulnerable if:

  • You are running a vulnerable version (see below)
  • There are unprotected endpoints normally only visible from the Kubernetes master (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the master's private network)
  • Untrusted users can create pods with an affected volume type or modify storage classes.

Affected Versions

  • kube-controller-manager v1.18.0
  • kube-controller-manager v1.17.0 - v1.17.4
  • kube-controller-manager v1.16.0 - v1.16.8
  • kube-controller-manager <= v1.15.11

The affected volume types are: GlusterFS, Quobyte, StorageOS, ScaleIO

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy or third-party admission controller such as Gatekeeper) and restricting StorageClass write permissions through RBAC.

Fixed Versions

The information leak was patched in the following versions:

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Additional Details

Exploitation of this vulnerability causes the kube-controller-manager to make a request to a user-supplied, unvalidated URL. The request does not include any kube-controller-manager client credentials.

Acknowledgements

This vulnerability was reported by Brice Augras from Groupe-Asten and Christophe Hauquiert from Nokia.

/area security
/kind bug
/committee product-security
/sig storage
/area controller-manager
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label May 28, 2020
@tallclair tallclair changed the title Placeholder issue CVE-2020-8555: Half-Blind SSRF in kube-controller-manager Jun 1, 2020
@k8s-ci-robot k8s-ci-robot added area/security kind/bug Categorizes issue or PR as related to a bug. committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/storage Categorizes an issue or PR as relevant to SIG Storage. area/controller-manager and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 1, 2020
@mattcary mattcary mentioned this issue Jun 4, 2020
Merged
@humblec
Copy link
Contributor

humblec commented Jun 15, 2020

An attacker with permissions to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to

@tallclair it should be StorageOS instead of StorageFS

@tallclair
Copy link
Member Author

Thanks for the correction. Fixed.

@palma21 palma21 mentioned this issue Jul 12, 2020
Closed
@misterikkit misterikkit mentioned this issue Sep 30, 2020
Merged
@misterikkit
Copy link

Only the GlusterFS fix remains. We need to update our dependencies to include heketi/heketi#1771, but that hasn't been tagged in a release as of yet.

@harkirat22 harkirat22 mentioned this issue Jan 7, 2021
Merged
@liggitt liggitt mentioned this issue Jan 11, 2021
Merged
This was referenced Jan 11, 2021
Merged
Merged
@mend-for-github-com mend-for-github-com bot mentioned this issue Sep 16, 2021
Open
1 task
@PushkarJ
Copy link
Member

PushkarJ commented Dec 2, 2021

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label Dec 2, 2021
@mend-for-github-com mend-for-github-com bot mentioned this issue May 9, 2022
Open
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
This was referenced May 7, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/controller-manager area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/storage Categorizes an issue or PR as relevant to SIG Storage.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@misterikkit @PushkarJ @humblec @k8s-ci-robot @tallclair