To implement dynamic address assignment in IPv6, Kubernetes supports both Dynamic Host Configuration Protocol (DHCP) and Router Advertisement. This causes vulnerability CVE-2020-13401. Router Advertisement allows the router to periodically send messages to nodes. The messages provide information about the network status such as routing table entries. The client uses Neighbor Discovery Protocol (NDP) to configure the network based on the information. This topic describes the impact of this vulnerability.

Notice IPv6 is disabled for Container Service for Kubernetes clusters. Therefore, this vulnerability does not affect your clusters and no further action is required.

Affected scenarios

This vulnerability affects a node if IPv6 is enabled and the Container Network Interface (CNI) plug-in version is earlier than v0.8.6.

Impacts

A malicious user may exploit this vulnerability to tamper with the IPv6 routing tables of other containers or the host. This enables man-in-the-middle attacks. If the DNS server returns both A (IPv4) and AAAA (IPv6) records, HTTP libraries may use the IPv6 record for connections even if no IPv6 traffic exists in the cluster. If the connection fails, the IPv4 record is used.

The following official kubelet package versions use an affected kubernetes-cni package as a dependency. Therefore, these versions are affected by the vulnerability.
  • kubelet v1.18.0~v1.18.3
  • kubelet v1.17.0~v1.17.6
  • kubelet<v1.16.11
Notice IPv6 is disabled for Container Service for Kubernetes clusters. Therefore, this vulnerability does not affect your clusters and no further action is required.