Alibaba Cloud has fixed vulnerability CVE-2020-8555 in kube-controller-manager for Container Service for Kubernetes (ACK). Vulnerability CVE-2020-8555 is a Server Side Request Forgery (SSRF) vulnerability of kube-controller-manager. Authorized users can forge requests of server-side applications to obtain arbitrary information from unprotected endpoints in the host network of master nodes. This topic describes the impacts, solution, and prevention measures for this vulnerability.
The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 3.0. For more information, see CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N. The risk level is medium.
Impact scope
- A local port of kube-apiserver that allows unauthorized access is open.
- Unprotected services are open to the host network of master nodes.
- Malicious users have the permissions to create pods or write StorageClass objects in a Kubernetes cluster.
- kube-controller-manager v1.16.0~v1.16.8
- kube-controller-manager<v1.15.11
The affected volume types are GlusterFS, Quobyte, StorageFS, and ScaleIO.
Fixes
An authorized user may exploit this vulnerability to create a pod that is mounted with a vulnerable volume (GlusterFS, Quobyte, StorageFS, or ScaleIO) or write a StorageClass object in a Kubernetes cluster. The user can send GET or POST requests to Services that are open to the host network of master nodes. This way, the user can probe and attack the host network without authorization. For example, an attacker may use the unprotected port 8080 of kube-apiserver to obtain Kubernetes Secrets.
By default, the unprotected port 8080 is closed for an ACK cluster. All Resource Access Management (RAM) users must be granted role-based access control (RBAC) permissions to perform the preceding operations. By default, all RAM users except the user who creates the cluster are unauthorized to create pods or write StorageClass objects. To prevent data leaks from unprotected Services in the host network of master nodes, implement the measures described in pr.k8s.io/89794. A new version of kube-controller-manager is also provided to fix this vulnerability.
Prevention and mitigation
- Do not open the unprotected port 8080 on kube-apiserver. By default, this port is closed in ACK clusters.
- Check whether request authentication is enabled for Services that are open to the host network of master nodes. Find and disable the unprotected Services that may cause data leaks.
- Do not authorize untrusted users to create pods or write StorageClass objects.