Alibaba Cloud has fixed vulnerability CVE-2020-8555 in kube-controller-manager for Container Service for Kubernetes (ACK). Vulnerability CVE-2020-8555 is a Server Side Request Forgery (SSRF) vulnerability of kube-controller-manager. Authorized users can forge requests of server-side applications to obtain arbitrary information from unprotected endpoints in the host network of master nodes. This topic describes the impacts, solution, and prevention measures for this vulnerability.

The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 3.0. For more information, see CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N. The risk level is medium.

Impact scope

Prerequisites of attacks:
  • A local port of kube-apiserver that allows unauthorized access is open.
  • Unprotected services are open to the host network of master nodes.
  • Malicious users have the permissions to create pods or write StorageClass objects in a Kubernetes cluster.
Affected versions:
  • kube-controller-manager v1.16.0~v1.16.8
  • kube-controller-manager<v1.15.11

The affected volume types are GlusterFS, Quobyte, StorageFS, and ScaleIO.

Fixes

An authorized user may exploit this vulnerability to create a pod that is mounted with a vulnerable volume (GlusterFS, Quobyte, StorageFS, or ScaleIO) or write a StorageClass object in a Kubernetes cluster. The user can send GET or POST requests to Services that are open to the host network of master nodes. This way, the user can probe and attack the host network without authorization. For example, an attacker may use the unprotected port 8080 of kube-apiserver to obtain Kubernetes Secrets.

By default, the unprotected port 8080 is closed for an ACK cluster. All Resource Access Management (RAM) users must be granted role-based access control (RBAC) permissions to perform the preceding operations. By default, all RAM users except the user who creates the cluster are unauthorized to create pods or write StorageClass objects. To prevent data leaks from unprotected Services in the host network of master nodes, implement the measures described in pr.k8s.io/89794. A new version of kube-controller-manager is also provided to fix this vulnerability.

Prevention and mitigation

Note This vulnerability is fixed in the latest ACK version V1.16.9-aliyun.1. We recommend that you upgrade your clusters to V1.16.9-aliyun.1.
If cluster upgrades are not allowed by your business, we recommend that you implement the following prevention measures:
  • Do not open the unprotected port 8080 on kube-apiserver. By default, this port is closed in ACK clusters.
  • Check whether request authentication is enabled for Services that are open to the host network of master nodes. Find and disable the unprotected Services that may cause data leaks.
  • Do not authorize untrusted users to create pods or write StorageClass objects.