#VU103955 Unprotected Alternate Channel in Kubelet - CVE-2020-8558

Cybersecurity Help s.r.o.

Published: 2025-02-13

Vulnerability identifier: #VU103955

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-8558

CWE-ID: CWE-420

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Kubelet
Web applications / Modules and components for CMS

Vendor: Kubernetes

Description

The vulnerability allows an adjacent attacker to reach TCP and UDP services.

The vulnerability exists due to application does not properly control consumption of internal resources. An adjacent attacker can reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Kubelet: 1.1.0 - 1.18.3, 1.2.0 - 1.2.7, 1.3.0 - 1.3.10, 1.4.0 - 1.4.12, 1.5.0 - 1.5.8, 1.6.0 - 1.6.13, 1.7.0 - 1.7.16, 1.8.0 - 1.8.15, 1.9.0 - 1.9.11

External links
https://github.com/kubernetes/kubernetes/issues/92315
https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJ
https://security.netapp.com/advisory/ntap-20200821-0001/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Unprotected Alternate Channel in Kubelet kube-proxy