To implement dynamic address assignment in IPv6, Kubernetes supports both Dynamic Host Configuration Protocol (DHCP) and Router Advertisement. This causes vulnerability CVE-2020-13401. Router Advertisement allows the router to periodically send messages to nodes. The messages provide information about the network status such as routing table entries. The client uses Neighbor Discovery Protocol (NDP) to configure the network based on the information. This topic describes the impact of this vulnerability.
This vulnerability affects a node if IPv6 is enabled and the Container Network Interface (CNI) plug-in version is earlier than v0.8.6.
A malicious user may exploit this vulnerability to tamper with the IPv6 routing tables of other containers or the host. This enables man-in-the-middle attacks. If the DNS server returns both A (IPv4) and AAAA (IPv6) records, HTTP libraries may use the IPv6 record for connections even if no IPv6 traffic exists in the cluster. If the connection fails, the IPv4 record is used.
- kubelet v1.18.0~v1.18.3
- kubelet v1.17.0~v1.17.6