Container Service for Kubernetes has fixed CVE-2020-8555, a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager. Before the vulnerability is fixed, authorized users may exploit this vulnerability to induce the server-side application to send requests to obtain arbitrary information from unprotected endpoints in the host network of master nodes. This topic describes the impacts, solution, and prevention measures of this vulnerability.
The SSRF vulnerability is scored 3.0 and rated medium in Common Vulnerability Scoring System (CVSS). For more information, see CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N.
- A local port of kube-apiserver that allows unauthenticated access is exposed.
- Unprotected services are exposed to the host network of master nodes.
- Malicious users are authorized to create pods or write StorageClass objects in a target cluster.
- kube-controller-manager v1.16.0~v1.16.8
The affected volume types are GlusterFS, Quobyte, StorageFS, and ScaleIO.
An authorized attacker may exploit the SSRF vulnerability to create a pod that uses a vulnerable volume or write a StorageClass object in kube-controller-manager. Vulnerable volumes include GlusterFS, Quobyte, StorageFS, and ScaleIO. As a result, the attacker can send GET or POST requests to services that allow unauthenticated requests in the host network of master nodes and obtain arbitrary information. For example, an attacker may use the insecure port 8080 of kube-apiserver to obtain Kubernetes secrets.
By default, insecure port 8080 is disabled for a Kubernetes cluster, and all RAM users must be granted role-based access control (RBAC) permissions. By default, all RAM users except the user who creates the cluster are not authorized to create pods or write StorageClass objects. To prevent information leaks from unprotected services in the host network of master nodes, Container Service for Kubernetes integrates with the measures introduced in pr.k8s.io/89794 and provides a new version of kube-controller-manager.
- Do not enable insecure port 8080 on kube-apiserver. By default, this port is disabled.
- Check whether request authentication is enabled for services exposed in the host network of master nodes. Find and disable the unprotected services that may cause data leaks.
- Do not allow untrusted users to create pods or write StorageClass objects.