Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN620 _____________________________________________________________________ DATE : 17/09/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Kubernetes C# client versions prior to 17.0.14. ===================================================================== https://lists.apple.com/archives/security-announce/2025/Sep/msg00010.html _____________________________________________________________________ [Security Advisory] CVE-2025-9708: Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks Announcements Security_k8s.io September 16, 2025, 4:01pm 1 Hello Kubernetes Community, A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially intercept or manipulate communication with the Kubernetes API server, leading to possible man-in-the-middle attacks and API impersonation. This issue has been rated Med (6.8) CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, and assigned CVE-2025-9708. Am I vulnerable? You are vulnerable if: You use the Kubernetes C# client to connect to a Kubernetes API server over TLS/HTTPS with custom CA certificates in your kubeconfig file and your connection occurs over an untrusted network. Affected Versions All versions of the Kubernetes C# client prior to the next release <=17.0.13 How do I mitigate this vulnerability? This issue can be mitigated by: Deploy the patch version of the Kubernetes C# client as soon as possible. Moving the CA certificates into the system trust store instead of specifying them in the kubeconfig file. Note: This approach may introduce new risks, as all processes on the system will begin to trust certificates signed by that CA. If you must use an affected version, you can disable custom CA and add the CA to the machine’s trusted root. Fixed Versions Kubernetes C# client >= v17.0.14 Detection To determine if your applications are affected: Review your usage of the Kubernetes C# client and inspect certificate validation logic. Review your kubeconfig files and determine if you use a custom CA certificate (the certificate-authority field in the clusters section). Review client logs for unexpected or untrusted certificate connections. If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io Thank You, Rita Zhang on behalf of the Kubernetes Security Response Committee Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/134063 Acknowledgements This vulnerability was reported by @elliott-beach The issue was fixed and coordinated by: Boshi Lian @tg123 Brendan Burns @brendandburns Rita Zhang @ritazh Thank You, Rita Zhang on behalf of the Kubernetes Security Response Committee ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================