====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN272
_____________________________________________________________________

DATE                : 12/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running Kubernetes versions prior to 1.21.0,
                                1.20.6, 1.19.10, 1.18.18.

=====================================================================
https://groups.google.com/g/kubernetes-announce/c/eyQe8UHBhQw
_____________________________________________________________________

Hello Kubernetes Community,

A security issue was discovered in the Windows version of kube-proxy
where a process on a Node may be able to accept traffic intended for a
LoadBalancer Service. Clusters without Windows nodes are unaffected.


This issue has been rated Medium
(CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)), and assigned
CVE-2021-25736.


Kube-proxy on Windows can unintentionally forward traffic to local
processes listening on the same port (“spec.ports[*].port”) as a
LoadBalancer Service when the LoadBalancer controller does not set the
“status.loadBalancer.ingress[].ip” field. Clusters where the
LoadBalancer controller sets the “status.loadBalancer.ingress[].ip”
field are unaffected.


Affected Components and Configurations

Windows kube-proxy. Clusters with Windows nodes are affected by this
vulnerability.


Affected Versions

    Kubernetes <= v1.20.5
    Kubernetes <= v1.19.9
    Kubernetes <= v1.18.17



Fixed Versions

This issue has been fixed in the following versions:

    v1.21.0
    v1.20.6
    v1.19.10
    v1.18.18



Mitigations

None


Detection

Unexpected processes listening on the same port as used by a
LoadBalancer service could indicate exploitation of this issue, and
should be investigated.

If you find evidence that this vulnerability has been exploited, please
contact secu...@kubernetes.io


Additional Details

See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/pull/99958


Acknowledgements

This vulnerability was discovered by  Eric Paris & Christian Hernandez
from Red Hat.



Thank You,

  Swamy Shivaganga Nagaraju, on behalf of the Kubernetes Product
Security Committee

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================