To implement dynamic address assignment in IPv6, Kubernetes supports both Dynamic Host Configuration Protocol (DHCP) and Router Advertisement. This causes the vulnerability CVE-2020-13401. Router Advertisement allows routers to periodically send messages to nodes. The messages provide information about the network status such as routing table entries. The client uses Neighbor Discovery Protocol (NDP) to configure the network based on the information. This topic describes the impacts of the vulnerability CVE-2020-13401.

Notice IPv6 is disabled for ACK clusters. Therefore, this vulnerability does not affect your clusters and no further action is required.

Affected scenarios

This vulnerability affects a node if IPv6 is enabled and the Container Network Interface (CNI) plug-in version is earlier than v0.8.6.

Impacts

A malicious attacker may exploit this vulnerability to tamper with the IPv6 routing tables of hosts or containers. This enables man-in-the-middle attacks. If the DNS server returns both A (IPv4) and AAAA (IPv6) records, HTTP libraries may use the IPv6 record for connections even if no IPv6 traffic exists in the cluster. If the connection fails, the IPv4 record is used.

The following kubelet versions contain the kubernetes-cni service. Therefore, these versions are affected by the vulnerability.
  • kubelet v1.18.0~v1.18.3
  • kubelet v1.17.0~v1.17.6
  • kubelet<v1.16.11
Notice IPv6 is disabled for ACK clusters. Therefore, this vulnerability does not affect your clusters and no further action is required.