Unprotected Alternate Channel in Kubelet kube-proxy

1) Unprotected Alternate Channel

EUVDB-ID: #VU103955

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-8558

CWE-ID: CWE-420 - Unprotected Alternate Channel

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to reach TCP and UDP services.

The vulnerability exists due to application does not properly control consumption of internal resources. An adjacent attacker can reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Kubelet: 1.1.0 - 1.18.3

CPE2.3

• cpe:2.3:a:kubernetes:kubelet:1.18.3:*:*:*:*:kubernetes:*:*
• cpe:2.3:a:kubernetes:kubelet:1.2.7:*:*:*:*:kubernetes:*:*
• cpe:2.3:a:kubernetes:kubelet:1.3.10:*:*:*:*:kubernetes:*:*
• cpe:2.3:a:kubernetes:kubelet:1.4.12:*:*:*:*:kubernetes:*:*
• cpe:2.3:a:kubernetes:kubelet:1.5.8:*:*:*:*:kubernetes:*:*
• cpe:2.3:a:kubernetes:kubelet:1.6.13:*:*:*:*:kubernetes:*:*
• cpe:2.3:a:kubernetes:kubelet:1.7.16:*:*:*:*:kubernetes:*:*
• cpe:2.3:a:kubernetes:kubelet:1.8.15:*:*:*:*:kubernetes:*:*
• cpe:2.3:a:kubernetes:kubelet:1.9.11:*:*:*:*:kubernetes:*:*

External links

https://github.com/kubernetes/kubernetes/issues/92315
https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ
https://security.netapp.com/advisory/ntap-20200821-0001/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.