Hot Topics
Cloud-Native Development Cloud-Native Security Containers Features Kubernetes Latest News News Topics 

KSOC Shares List of Top Eight Kubernetes Vulnerabilities

, , ,
by Mike Vizard

Kubernetes Security Operations Center (KSOC) has published a list of the eight Kubernetes vulnerabilities that are most likely to be exploited. The list is based on an Exploit Prediction Scoring System (EPSS) created by FIRST, a community of cybersecurity professionals that provides members with access to a range of collaboration tools and platforms.

Andrew Josephides, director of security research for KSOC, said that while 48 vulnerabilities have been discovered since 2016, not every vulnerability is equally lethal. The EPSS model rates common vulnerabilities and exploits (CVEs) based on factors such as the existence of proofs-of-concept (PoCs), backlinks to the CVE and observed activity.

The top eight vulnerabilities that warrant the attention of IT teams are:

CVE 2021-3121:
CVSS 3.1: 8.6
EPSS: 0.37
EPSS Percentile: 68.5%
Affected Kubernetes Versions: 1.21.0-1.21.1, 1.20.0-1.20.7, 1.19.0-1.19.11, <=1.18.19
Summary: This is an issue with the GoGo protobuf compiler (prior to version 1.3.2) used in Kubernetes. A malicious protobuf message could cause panic, potentially resulting in information disclosure, data manipulation or denial of service. This can be mitigated by disabling protobuf messaging or through graceful panic handling. The Kubernetes security team believed at the time of release that Kubernetes’ built-in panic handling meant that Kubernetes itself was unaffected, but updates (and recommended updating) are advised out of an abundance of caution. Controllers, operators or workloads on a cluster might be impacted as well.

CVE 2020-8559:
CVSS 3.1: 6.8
EPSS: 0.27
EPSS Percentile 62.98%
Affected Kubernetes Versions: <=1.16.13, 1.17.0-1.17.9, 1.18.0-1.18.6
Summary: This bug could potentially be escalated to a high CVSS severity if multiple clusters shared the same certificate authority. Additionally, multiple proofs-of-concept (PoCs) exist. In a nutshell: This bug allows an attacker to intercept certain upgrade requests to the kubelet to redirect those requests. This could allow them to obtain credentials that could be used to take over other nodes, resulting in privilege escalation and/or lateral movement. When multiple clusters use the same certificate authority and authentication materials, this vulnerability could also be exploited to compromise nodes on other clusters.

CVE 2020-8554:
CVSS 3.1 5.0
EPSS: 0.13
EPSS Percentile: 46.57%
Affected Kubernetes Versions: All versions
Summary: A potential man-in-the-middle (MiTM) attack vector, this issue remains intentionally unpatched and should be mitigated with a combination of role-based access controls (RBAC) and admissions control rules. A malicious actor with permission to create or edit Pods and Services can potentially create a ClusterIP service with an externalIP attribute. This would allow them to intercept traffic to that service, including traffic from other Pods or Nodes in the cluster. This issue particularly impacts multi-tenant clusters, potentially allowing an attacker to intercept traffic from other tenants. A similar issue exists when an actor has permission to patch the status of LoadBalancer services to change the ingress.ip attribute, but this is considered a privileged action and should be restricted via RBAC.

CVE 2021-25741:
CVSS 3.1 8.1
EPSS: 0.12
EPSS Percentile: 44.76%
Affected Kubernetes Versions: v1.22.0 – v1.22.1, v1.21.0 – v1.21.4, v1.20.0 – v1.20.10, <= v1.19.14
Summary: A path traversal bug allowing a pod to access files and directories directly on the host/node. This bug bypasses controls implemented to prevent hostPath mounts, allowing similar functionality through the use of symlinks.

CVE 2020-8551:
CVSS 3.1 6.5
EPSS: 0.11
EPSS Percentile: 43.23%
Affected Kubernetes Versions: kubelet v1.17.0 – v1.17.2, kubelet v1.16.0 – v1.16.6, kubelet v1.15.0 – v1.15.9
Summary: A denial-of-service attack against the Kubelet.

CVE 2020-10749:
CVSS 3.1 6.0
EPSS: 0.11
EPSS Percentile: 42.42%
Affected Kubernetes Versions: kubelet v1.18.0-v1.18.3, kubelet v1.17.0-v1.17.6, kubelet < v1.16.11
Summary: A man-in-the-middle (MitM) attack. This vulnerability was actually tied to the kubernetes-cni package used by many CNI implementations. It made it to the official Kubernetes CVE feed because the kubernetes-cni package was delivered with official copies of kubelet for the affected versions. The vulnerability allows an attacker-controlled container to send malicious router advertisements that prompt the host to redirect IPv6 traffic to the container. This may also include traffic not originally using IPv6 if DNS responses include an AAAA record (many implementations will try IPv6 first).

CVE 2019-11254:
CVSS 3.1 6.5
EPSS: 0.1
EPSS Percentile: 40.1%
Affected Kubernetes Versions: <= v1.15.9, v1.16.0-v1.16.7, v1.17.0-v1.17.2
Summary: A denial-of-service vulnerability. An attacker with permission to create resources on the cluster could use maliciously crafted YAML to exhaust the CPU resources of the API server.

CVE 2020-8555:
CVSS 3.1 6.3
EPSS: 0.1
EPSS Percentile: 39.81%
Affected Kubernetes Versions: kube-controller-manager v1.18.0, kube-controller-manager v1.17.0 – v1.17.4, kube-controller-manager v1.16.0 – v1.16.8, kube-controller-manager <= v1.15.11
Summary: A server side request forgery (SSRF) issue. An attacker with permissions to create pods on the cluster using certain built-in storage types or with the permissions to create StorageClasses can manipulate the kube-controller-manager into making GET and/or POST requests on their behalf to a user-supplied, unvalidated URL. This can result in leaking up to 500 bytes of information from unprotected endpoints in the master’s host network.

There are, of course, multiple ways to mitigate these attacks, most of which involve upgrading to newer versions of Kubernetes. The challenge is many organizations continue to run older versions of Kubernetes for fear an upgrade will break many of the applications already deployed because of a dependency on an application programming interface (API) that might no longer be available.

One way or another, however, it’s only a matter of time before cybercriminals exploit these vulnerabilities, so upgrades and other techniques for mitigating these vulnerabilities should be applied as quickly as possible. In the meantime, IT teams would be well advised to keep an eye on EPSS ratings that continuously evolve as new Kubernetes threats are discovered and exploited.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1620 posts and counting. See all posts by Mike Vizard