CNI network plugins create network bridges that IPv6 router advertisements by default. An attacker able to execute code in a container could exploit this to spoof rouge IPv6 router advertisements in IPv4 clusters to perform a MitM attack against the host network or another container on the same host.
*** Bug 1833219 has been marked as a duplicate of this bug. ***
*** Bug 1833215 has been marked as a duplicate of this bug. ***
Upstream Fix: https://github.com/containernetworking/plugins/pull/484
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Etienne Champetier
Mitigation: Prevent untrusted, non-privileged containers from running with CAP_NET_RAW.
Upstream patch for this issue: https://github.com/containernetworking/plugins/pull/484/commits/219eb9e0464761c47383d239aba206da695e1a43
External References: https://groups.google.com/forum/#!topic/kubernetes-security-announce/BMb_6ICCfp8
Created containernetworking-plugins tracking bugs for this issue: Affects: fedora-all [bug 1842693] Created golang-github-containernetworking-plugins tracking bugs for this issue: Affects: fedora-all [bug 1842694]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:2443 https://access.redhat.com/errata/RHSA-2020:2443
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2403 https://access.redhat.com/errata/RHSA-2020:2403
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10749
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2684 https://access.redhat.com/errata/RHSA-2020:2684
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:2592 https://access.redhat.com/errata/RHSA-2020:2592
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412
This issue has been addressed in the following products: RHEL-8-CNV-2.4 RHEL-7-CNV-2.4 Via RHSA-2020:3194 https://access.redhat.com/errata/RHSA-2020:3194
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4694 https://access.redhat.com/errata/RHSA-2020:4694
It can be verified on an OCP 3.11 cluster that IPv6 traffic is not forwarded with a command like below: $ ovs-ofctl -O OpenFlow13 dump-flows br0 | grep ipv6 $ OpenShift SDN uses an OVS bridge which does not forward any packets that are not explicitly configured. There are no "ipv6" rules, therefore no "ipv6" traffic is forwarded. http://www.openvswitch.org/support/dist-docs/ovs-fields.7.txt
Statement: In OpenShift Container Platform 4, the default network plugin, OpenShift SDN, and OVN Kubernetes, do not forward IPv6 traffic, making this vulnerability not exploitable. The affected code from containernetworking/plugins is however still included in these plugins, hence this vulnerability is rated Low for both OpenShift SDN and OVN-Kubernetes. IPv6 traffic is not forwarded by the OpenShift SDN in OpenShift Container Platform 3.11, making this vulnerability not exploitable. However, the affected code from containernetworking/plugins is still included in the atomic-openshift package, hence this vulnerability is rated Low for OpenShift Container Platform 3.11.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633