Bug 2101434 (CVE-2022-2220)

Summary: CVE-2022-2220 openshfit-router: fails to verify subdomain ownership which can lead to route takeover
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akashem, aos-bugs, aos-network-edge-staff, bmontgom, eparis, jburrell, joelsmith, mfojtik, mmasters, nstielau, security-response-team, sponnaga, sttts, vkumar, xxia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Insufficient Granularity of Access Control in an OpenShift router causes improper subdomain ownership verification, allowing route takeover. Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record to expose this route externally. The CNAME record should point the custom domain to the OpenShift router as the alias. If the CNAME is not removed when the route is not in use anymore, there is a dangling route that a malicious actor may take over.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-04 18:21:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2101438, 2101439, 2101440, 2101441    
Bug Blocks: 2099292    

Description Michael Kaplan 2022-06-27 13:29:18 UTC 
OpenShift doesn't properly verify subdomain ownership, which allows route takeover. Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record (if he likes to expose this route externally). The CNAME record should point the custom domain to the OpenShift router as the alias. In a case that the CNAME is not removed when the route is not in use anymore we are dealing with a dangling route. A malicious actor may take over the route.
Comment 1 lnacshon 2022-06-27 13:44:52 UTC 
Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record (if he likes to expose this route externally). The CNAME record should point the custom domain to the OpenShift router as the alias. 

In a case that the CNAME is not removed when the route is not in use anymore we are dealing with a dangling route. A malicious actor may take over the route. 

OCP Managed services are not affected, to use a custom domain in OSD, customers use https://github.com/openshift/custom-domains-operator,  which creates an additional ingress only known by the custom name, so there is no CNAME mapping in the external DNS to the "default" ingress' names.
Comment 7 Miciah Dashiel Butler Masters 2022-10-24 21:07:54 UTC 
I've closed the dependent bugs as DUPLICATE, EOL (for the 3.11 BZs), or NOTABUG.  As I noted in bug 2101438, engineering maintains that it is the cluster administrator's responsibility to manage DNS records and to secure sensitive routes using TLS.  If an automated solution is required for managing DNS records, the cluster administrator can use external-dns.  Alternatively, a controller could be implemented to block route deletion if a DNS record exists for the route.  I suggest filing an RFE if such a solution is required from engineering.