Bypass of Kubernetes API Server proxy TOCTOU
Description
As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | >= 1.21.0, <= 1.21.1 | — |
k8s.io/kubernetesGo | >= 1.20.0, <= 1.20.7 | — |
k8s.io/kubernetesGo | >= 1.19.0, <= 1.19.11 | — |
k8s.io/kubernetesGo | <= 1.18.19 | — |
Affected products
1- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-qh36-44jv-c8xjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8562ghsaADVISORY
- github.com/kubernetes/kubernetes/issues/101493ghsax_refsource_MISCWEB
- github.com/kubernetes/kubernetes/issues/101493ghsaWEB
- groups.google.com/g/kubernetes-security-announce/c/-MFX60_wdOYghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220225-0002ghsaWEB
- security.netapp.com/advisory/ntap-20220225-0002/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.