The Kubernetes community has disclosed the CVE-2020-8562 vulnerability. An attacker can bypass the proxy IP limit imposed by the API server and access the Kubernetes control plane components in the private network of a cluster. This results in unauthorized access. This topic describes the impacts, affected Kubernetes versions, and fixes of this vulnerability.
The CVE-2020-8562 vulnerability is rated low and the Common Vulnerability Scoring System (CVSS) score of the vulnerability is 2.2.
Impacts
For security reasons, the Kubernetes community has forbidden user-driven connections to the internal proxy of Services, pods, nodes, and StorageClasses. When Kubernetes forbids the connections, Kubernetes performs a DNS resolution and checks whether the IPs requested by the proxy are within the link-local (169.254.0.0/16) or localhost (127.0.0.1/8) range. Then, Kubernetes performs a second DNS resolution without validating the requested IP addresses. If a non-standard DNS server returns different non-cached responses, an attacker can bypass the proxy IP limit by using a race condition and access the control plane components in the private network.
An attacker can bypass the proxy IP limit on the condition that the attacker can create or modify nodes and the attacker can access nodes by using the proxy. The attacker can also create or modify StorageClasses and access the log of kube-controller-manager.
Symptom
Affected versions
kube-apiserver that is installed in the following Kubernetes versions is affected by this vulnerability:
- Kubernetes ≤ v1.21.0
- Kubernetes ≤ v1.20.6
- Kubernetes ≤ v1.19.10
- Kubernetes ≤ v1.18.18
The Kubernetes community has not released the patched Kubernetes versions.
Fixes
Follow the principle of least privilege and control the permissions to create and modify nodes and StorageClasses.