2101434 – (CVE-2022-2220) CVE-2022-2220 openshfit-router: fails to verify subdomain ownership which can lead to route takeover

Bug 2101434 (CVE-2022-2220) - CVE-2022-2220 openshfit-router: fails to verify subdomain ownership which can lead to route takeover

Summary: CVE-2022-2220 openshfit-router: fails to verify subdomain ownership which can...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2022-2220
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2101438 2101439 2101440 2101441
Blocks:	2099292
TreeView+	depends on / blocked

Reported:	2022-06-27 13:29 UTC by Michael Kaplan
Modified:	2023-01-20 17:51 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	Insufficient Granularity of Access Control in an OpenShift router causes improper subdomain ownership verification, allowing route takeover. Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record to expose this route externally. The CNAME record should point the custom domain to the OpenShift router as the alias. If the CNAME is not removed when the route is not in use anymore, there is a dangling route that a malicious actor may take over.
Clone Of:
Environment:
Last Closed:	2023-01-04 18:21:43 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2022-06-27 13:29:18 UTC

OpenShift doesn't properly verify subdomain ownership, which allows route takeover. Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record (if he likes to expose this route externally). The CNAME record should point the custom domain to the OpenShift router as the alias. In a case that the CNAME is not removed when the route is not in use anymore we are dealing with a dangling route. A malicious actor may take over the route.

Comment 1 lnacshon 2022-06-27 13:44:52 UTC

Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record (if he likes to expose this route externally). The CNAME record should point the custom domain to the OpenShift router as the alias. 

In a case that the CNAME is not removed when the route is not in use anymore we are dealing with a dangling route. A malicious actor may take over the route. 

OCP Managed services are not affected, to use a custom domain in OSD, customers use https://github.com/openshift/custom-domains-operator,  which creates an additional ingress only known by the custom name, so there is no CNAME mapping in the external DNS to the "default" ingress' names.

Comment 7 Miciah Dashiel Butler Masters 2022-10-24 21:07:54 UTC

I've closed the dependent bugs as DUPLICATE, EOL (for the 3.11 BZs), or NOTABUG.  As I noted in bug 2101438, engineering maintains that it is the cluster administrator's responsibility to manage DNS records and to secure sensitive routes using TLS.  If an automated solution is required for managing DNS records, the cluster administrator can use external-dns.  Alternatively, a controller could be implemented to block route deletion if a DNS record exists for the route.  I suggest filing an RFE if such a solution is required from engineering.

Note You need to log in before you can comment on or make changes to this bug.