Bug 1833220 (CVE-2020-10749) - CVE-2020-10749 containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters
Summary: CVE-2020-10749 containernetworking/plugins: IPv6 router advertisements allow ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10749
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1833215 1833219 (view as bug list)
Depends On: 1837779 1837780 1842337 1842694 1837209 1837781 1837782 1840464 1840465 1841607 1842334 1842335 1842336 1842391 1842392 1842393 1842693 1842927 1842928 1842944
Blocks: 1833165
TreeView+ depends on / blocked
 
Reported: 2020-05-08 05:39 UTC by Sam Fowler
Modified: 2020-07-28 19:07 UTC (History)
27 users (show)

Fixed In Version: containernetworking/plugins 0.8.6
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in affected container networking implementations that allow malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending “rogue” IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.
Clone Of:
Environment:
Last Closed: 2020-06-17 23:20:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2403 None None None 2020-06-17 20:50:52 UTC
Red Hat Product Errata RHSA-2020:2412 None None None 2020-07-13 17:23:22 UTC
Red Hat Product Errata RHSA-2020:2443 None None None 2020-06-17 19:45:17 UTC
Red Hat Product Errata RHSA-2020:2592 None None None 2020-07-01 16:05:24 UTC
Red Hat Product Errata RHSA-2020:2684 None None None 2020-06-23 14:27:11 UTC
Red Hat Product Errata RHSA-2020:3194 None None None 2020-07-28 19:07:34 UTC

Description Sam Fowler 2020-05-08 05:39:41 UTC
CNI network plugins create network bridges that IPv6 router advertisements by default. An attacker able to execute code in a container could exploit this to spoof rouge IPv6 router advertisements in IPv4 clusters to perform a MitM attack against the host network or another container on the same host.

Comment 6 Sam Fowler 2020-05-20 00:44:24 UTC
*** Bug 1833219 has been marked as a duplicate of this bug. ***

Comment 7 Sam Fowler 2020-05-20 00:45:43 UTC
*** Bug 1833215 has been marked as a duplicate of this bug. ***

Comment 8 Sam Fowler 2020-05-20 00:48:45 UTC
Upstream Fix:

https://github.com/containernetworking/plugins/pull/484

Comment 14 Sam Fowler 2020-05-28 06:17:49 UTC
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Etienne Champetier

Comment 25 Sam Fowler 2020-06-01 10:39:00 UTC
Statement:

In OpenShift Container Platform 4, the default network plugin, OpenShift SDN, and OVN Kubernetes, do not forward IPv6 traffic, making this vulnerability not exploitable. The affected code from containernetworking/plugins is however still included in these plugins, hence this vulnerability is rated Low for both OpenShift SDN and OVN-Kubernetes.

IPv6 traffic is not supported in OpenShift Container Platform 3.11, making this vulnerability not exploitable. However, the affected code from containernetworking/plugins is still included in the atomic-openshift package, hence this vulnerability is rated Low for OpenShift Container Platform 3.11.

Comment 26 Sam Fowler 2020-06-01 10:51:54 UTC
Mitigation:

Prevent untrusted, non-privileged containers from running with CAP_NET_RAW.

Comment 29 Sam Fowler 2020-06-01 21:10:49 UTC
Created containernetworking-plugins tracking bugs for this issue:

Affects: fedora-all [bug 1842693]


Created golang-github-containernetworking-plugins tracking bugs for this issue:

Affects: fedora-all [bug 1842694]

Comment 32 errata-xmlrpc 2020-06-17 19:45:15 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:2443 https://access.redhat.com/errata/RHSA-2020:2443

Comment 33 errata-xmlrpc 2020-06-17 20:50:50 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2403 https://access.redhat.com/errata/RHSA-2020:2403

Comment 34 Product Security DevOps Team 2020-06-17 23:20:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10749

Comment 35 errata-xmlrpc 2020-06-23 14:27:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:2684 https://access.redhat.com/errata/RHSA-2020:2684

Comment 36 errata-xmlrpc 2020-07-01 16:05:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2592 https://access.redhat.com/errata/RHSA-2020:2592

Comment 37 errata-xmlrpc 2020-07-13 17:23:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412

Comment 38 errata-xmlrpc 2020-07-28 19:07:31 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-2.4
  RHEL-7-CNV-2.4

Via RHSA-2020:3194 https://access.redhat.com/errata/RHSA-2020:3194


Note You need to log in before you can comment on or make changes to this bug.