To enable nodes in a Kubernetes cluster to access services that listen on 127.0.0.1, the Linux kernel parameter net.ipv4.conf.all.route_localnet is set to 1 for kube-proxy in both iptables and ipvs modes. This causes a security vulnerability. An attacker may log on to a container connected to the network of a vulnerable host or an adjacent host of the vulnerable host in the same local area network (LAN). Then, the attacker attempts to access TCP and UDP services that are deployed on the vulnerable host and listen on 127.0.0.1. If a TCP or UDP service does not require authentication, the attacker may access the service. This causes data breaches.

Affected versions

This vulnerability affects kube-proxy of the following versions:
  • kube-proxy v1.18.0~v1.18.3
  • kube-proxy v1.17.0~v1.17.6
  • kube-proxy V1.16.10 and earlier

By default, in a Kubernetes cluster, users must be authenticated to access services that listen on 127.0.0.1, and kube-apiserver disables unprotected ports. The kubelet service opens read-only port 10255 that is bound to 0.0.0.0 but does not require user authentication. Attackers can access the kubelet service from containers that use the host network or privileged containers through port 10255 even if the vulnerability is fixed. Therefore, this vulnerability has little impact on the ACK cluster.

Impacts

Assume that an attacker has the permission to configure a host network or log on to a container that has CAP_NET_RAW enabled. The attacker may exploit this vulnerability to obtain the socket addresses of services that listen on 127.0.0.1. If services on a node listen on 127.0.0.1 and the services do not require user authentication, an attacker may exploit this vulnerability to access the services. For more information, see Issue.

Common Vulnerability Scoring System (CVSS) rating:
  • If kube-apiserver opens the unprotected port, an attacker may exploit this vulnerability to access the kube-apiserver information. In this case, this vulnerability has high severity and is scored 8.8. The default unprotected port for kube-apiserver is 8080.
  • If kube-apiserver disables the unprotected port, this vulnerability has medium severity and is scored 5.4.
Attackers may log on to the following objects to launch attacks:
  • Hosts that are connected to the same VSwitch as the vulnerable host
  • Containers that run on the vulnerable host

Preventative measures

We recommend that you take the following preventative measures:
  • Do not open the unprotected port of kube-apiserver. The default unprotected port is 8080. By default, this port is disabled.
  • Run the following command to configure an iptables rule for each node in the cluster. This rule blocks traffic that is sent from other nodes to 127.0.0.1.
     iptables -I INPUT --dst 127.0.0.0/8 ! --src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
  • Control user permissions to log on to cluster nodes. For example, you can invalidate kubeconfig files that may have been leaked to malicious users.
  • Do not enable CAP_NET_RAW for containers. If this feature is enabled, run the following command to disable it:
    securityContext:
          capabilities:
            drop: ["NET_RAW"]
  • Use PodSecurityPolicy to control the deployment of privileged containers and containers that use the network of the host. You can also disable CAP_NET_RAW for containers by configuring the requiredDropCapabilities parameter in the policy.