====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN280
_____________________________________________________________________

DATE                : 19/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running Kubernetes versions prior to 1.21.1,
                                 1.20.7, 1.19.11, 1.18.19.

=====================================================================
https://groups.google.com/g/kubernetes-announce/c/EvzkWziK5Ek
_____________________________________________________________________

[Security Advisory] CVE-2021-25737: Holes in EndpointSlice Validation
Enable Host Network Hijack


A security issue was discovered in Kubernetes where a user may be able
to redirect pod traffic to private networks on a Node. Kubernetes
already prevents creation of Endpoint IPs in the localhost or link-local
range, but the same validation was not performed on EndpointSlice IPs.

This issue has been rated Low
(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N), and assigned CVE-2021-25737.



Affected Component

kube-apiserver


Affected Versions

    v1.21.0

    v1.20.0 - v1.20.6

    v1.19.0 - v1.19.10

    v1.16.0 - v1.18.18 (Note: EndpointSlices were not enabled by default
in 1.16-1.18)


Fixed Versions

This issue is fixed in the following versions:

    v1.21.1

    v1.20.7

    v1.19.11

    v1.18.19


Mitigation

To mitigate this vulnerability without upgrading kube-apiserver, you can
create a validating admission webhook that prevents EndpointSlices with
endpoint addresses in the 127.0.0.0/8 and 169.254.0.0/16 ranges. If you
have an existing admission policy mechanism (like OPA Gatekeeper) you
can create a policy that enforces this restriction.


Detection

To detect whether this vulnerability has been exploited, you can list
EndpointSlices and check for endpoint addresses in the 127.0.0.0/8 and
169.254.0.0/16 ranges.


If you find evidence that this vulnerability has been exploited, please
contact secu...@kubernetes.io


Additional Details

See Kubernetes Issue #102106 for more details.


Acknowledgements

This vulnerability was reported by John Howard of Google.

Thank You,

CJ Cullen on behalf of the Kubernetes Product Security Committee



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================