A Kubernetes cluster configured to use compromised container networking implementation is vulnerable to man-in-the-middle attacks. Using CAP_NET_RAW privileges, an attacker is then able to intercept traffic from other containers on the host or even the host itself.
Kubernetes cluster deployments are on the rise, but so are cyber attacks targeting these highly prized environments. If this container orchestration technology is the subject of specific work dedicated to its security, certain flaws in rebound can make it vulnerable. After the Runc container runtime, another lever of compromise was identified. “A Kubernetes cluster using an affected network implementation is vulnerable,” Joël Smith, a member of the Kubernetes security team, warned in a post. This vulnerability has been listed as CVE-2020-10749. “By sending advertisements to a compromised router, a malicious container can reconfigure the host to redirect some or all of the IPv6 traffic from the host to the container controlled by the attacker. Even if there was no IPv6 traffic before, if DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first, then fall back to IPv4, giving the attacker an opportunity to respond. “
The kubelet version packages affected by this compromise are the following: v1.18.0-v1.18.3, v1.17.0-v1.17.6 and versions lower than v1.16.11. Impacted Kubernetes cluster network implementations include CNI Plugins (0.8.6 and earlier), Calico and Calico Enterprise, Docker (before 19.03.11) and Weave Net (before 2.6.3). The Cilium, Juniper Contrail Networking, OpenShift SDN, OVN-Kubernetes and Tungsten Fabric environments would not be affected.
Patches expected on June 17
To prevent an attacker from using CAP_NET_RAW privileges, to intercept traffic from other containers on the host or even the host itself, the first thing to do in case of doubt and / or compromise is to prohibit CAP_NET_RAW for workloads or untrusted users and also use TLS connections with their own validation certificate. “Set the default host to reject advertisements from the router. This should prevent attacks from succeeding, but can interrupt legitimate traffic, depending on the implementation of networking and the network on which the cluster is running. To modify this parameter, set sysctl net.ipv6.conf.all.accept_ra to 0 ”, specifies Joël Smith.
The following packages will include corrected versions of the CNI Containernetworking plug-ins that were previously installed via the kubernetes-cni package. Namely kubelet v1.19.0 + (main branch # 91370), kubelet v1.18.4 + (# 91387), kubelet v1.17.7 + (# 91386) and kubelet v1.16.11 + (# 91388). “Since these versions are not yet available, cluster administrators using Kubernetes repository packages can choose to manually upgrade the CNI plug-ins by retrieving the corresponding tarball from the containernetworking / plugins v0.8.6 version. . The versions of the patches should be published on June 17, subject to modifications ”, warns Joël Smith.