Skip to content

CVE-2022-3294: Node address isn't always verified when proxying #113757

New issue
New issue
Closed
Closed
CVE-2022-3294: Node address isn't always verified when proxying#113757
Labels
area/apiserverarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@tallclair

Description

@tallclair
tallclair
opened on Nov 8, 2022

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them.

Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.

Am I vulnerable?

Clusters are affected by this vulnerability if there are endpoints that the kube-apiserver has connectivity to that users should not be able to access. This includes:

  • kube-apiserver is in a separate network from worker nodes
  • localhost services

mTLS services that accept the same client certificate as nodes may be affected. The severity of this issue depends on the privileges & sensitivity of the exploitable endpoints.

Clusters that configure the egress selector to use a proxy for cluster traffic may not be affected.

Affected Versions

  • Kubernetes kube-apiserver <= v1.25.3
  • Kubernetes kube-apiserver <= v1.24.7
  • Kubernetes kube-apiserver <= v1.23.13
  • Kubernetes kube-apiserver <= v1.22.15

How do I mitigate this vulnerability?

Upgrading the kube-apiserver to a fixed version mitigates this vulnerability.

Aside from upgrading, configuring an egress proxy for egress to the cluster network can mitigate this vulnerability.

Fixed Versions

  • Kubernetes kube-apiserver v1.25.4
  • Kubernetes kube-apiserver v1.24.8
  • Kubernetes kube-apiserver v1.23.14
  • Kubernetes kube-apiserver v1.22.16

Fix impact: In some cases, the fix can break clients that depend on the nodes/proxy subresource, specifically if a kubelet advertises a localhost or link-local address to the Kubernetes control plane.

Detection

Node create & update requests may be included in the Kubernetes audit log, and can be used to identify requests for IP addresses that should not be permitted. Node proxy requests may also be included in audit logs.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported by Yuval Avrahami of Palo Alto Networks.

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig api-machinery
/area apiserver

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/apiserverarea/securitycommittee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.official-cve-feedIssues or PRs related to CVEs officially announced by Security Response Committee (SRC)sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions