Bug 1843358 (CVE-2020-8558) - CVE-2020-8558 kubernetes: node localhost services reachable via martian packets
Summary: CVE-2020-8558 kubernetes: node localhost services reachable via martian packets
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8558
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1849175 1857092 1860047 1860048 1860049 1860050 1860051 1860052 1845772 1845773 1845774 1845775 1845776 1845777 1845778 1845780 1845781
Blocks: 1843354
TreeView+ depends on / blocked
 
Reported: 2020-06-03 06:32 UTC by Sam Fowler
Modified: 2020-08-05 10:26 UTC (History)
26 users (show)

Fixed In Version: kubernetes 1.19.0, kubernetes 1.18.4, kubernetes 1.17.7, kubernetes 1.17.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confidential information for any services listening on localhost ports that are not protected by authentication.
Clone Of:
Environment:
Last Closed: 2020-07-13 19:27:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2412 None None None 2020-07-13 17:23:24 UTC
Red Hat Product Errata RHSA-2020:2413 None None None 2020-07-13 16:45:01 UTC
Red Hat Product Errata RHSA-2020:2926 None None None 2020-07-21 10:43:00 UTC
Red Hat Product Errata RHSA-2020:2927 None None None 2020-07-21 09:55:51 UTC
Red Hat Product Errata RHSA-2020:2992 None None None 2020-07-27 18:49:40 UTC
Red Hat Product Errata RHSA-2020:3183 None None None 2020-08-05 10:12:32 UTC
Red Hat Product Errata RHSA-2020:3184 None None None 2020-08-05 10:26:48 UTC

Description Sam Fowler 2020-06-03 06:32:34 UTC
Kubernetes' kube-proxy enables net.ipv4.conf.all.route_localnet by default on all nodes. This allows neighbouring hosts on the local network to reach ports on Kubernetes nodes that are only exposed on localhost.

Comment 2 Sam Fowler 2020-06-03 06:33:33 UTC
Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/90259

Comment 6 Sam Fowler 2020-06-17 05:37:29 UTC
Upstream Fix:

https://github.com/kubernetes/kubernetes/pull/91569

Comment 7 Sam Fowler 2020-06-17 05:37:33 UTC
Statement:

OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata.

Comment 9 Sam Fowler 2020-07-08 22:04:05 UTC
External References:

https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE

Comment 11 Sam Fowler 2020-07-13 02:54:43 UTC
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: János Kövér (Ericsson), Rory McCune (NCC Group), Yuval Avrahami (Palo Alto Networks), Ariel Zelivansky (Palo Alto Networks)

Comment 12 Sam Fowler 2020-07-13 03:00:26 UTC
Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/92315

Comment 13 errata-xmlrpc 2020-07-13 16:44:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2413 https://access.redhat.com/errata/RHSA-2020:2413

Comment 14 errata-xmlrpc 2020-07-13 17:23:21 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:2412 https://access.redhat.com/errata/RHSA-2020:2412

Comment 15 Product Security DevOps Team 2020-07-13 19:27:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8558

Comment 16 Sam Fowler 2020-07-15 06:36:40 UTC
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1857092]

Comment 17 errata-xmlrpc 2020-07-21 09:55:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2927 https://access.redhat.com/errata/RHSA-2020:2927

Comment 18 errata-xmlrpc 2020-07-21 10:42:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2926 https://access.redhat.com/errata/RHSA-2020:2926

Comment 20 errata-xmlrpc 2020-07-27 18:49:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2992 https://access.redhat.com/errata/RHSA-2020:2992

Comment 23 errata-xmlrpc 2020-08-05 10:12:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3183 https://access.redhat.com/errata/RHSA-2020:3183

Comment 24 errata-xmlrpc 2020-08-05 10:26:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3184 https://access.redhat.com/errata/RHSA-2020:3184


Note You need to log in before you can comment on or make changes to this bug.