CVE-2021-28235

Root

Cause The vulnerability resides in the debug function of etcd version 3.4.10, a distributed key-value store widely used with Kubernetes. The debug function fails to enforce proper authentication checks, allowing unauthenticated remote access to a privileged debugging interface. This bypasses the security model that normally requires client certificate authentication or other credentials for administrative operations.

Exploitation

Prerequisites No authentication or network proximity is required; an attacker can exploit this remotely over the network. The debug function is accessible via the exposed API endpoint without any prior valid session or certificate, as the authentication mechanism is not invoked. This makes the attack surface broad, especially in deployments where etcd's API is exposed without additional network segmentation.

Impact

Successful exploitation grants an attacker escalated privileges within the etcd cluster. This can lead to reading, modifying, or deleting all keys in the store, disrupting the operation of Kubernetes and other critical distributed systems that rely on etcd for configuration and state management. An attacker may also pivot to other components by manipulating stored secrets or credentials.

Mitigation

Status Upgrade to a patched version of etcd after 3.4.10. Red Hat has also issued advisories for affected products in their portfolio [1][2]. No workaround is available beyond restricting network access to the etcd API until the patch is applied.