Man-in-the-Middle (MitM) Affecting k8s.io/kubernetes Open this link in a new tab package, versions <1.21.0-alpha.1


0.0
medium
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-K8SIOKUBERNETES-1048855

  • published

    8 Dec 2020

  • disclosed

    7 Dec 2020

  • credit

    Etienne Champetier of Anevia

How to fix?

Upgrade k8s.io/kubernetes to version 1.21.0-alpha.1 or higher.

Overview

k8s.io/kubernetes is a Production-Grade Container Scheduling and Management.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Mitigations have been published:

  1. To restrict the use of external IPs we are providing an admission webhook container: k8s.gcr.io/multitenancy/externalip-webhook:v1.0.0. The source code and deployment instructions are published at https://github.com/kubernetes-sigs/externalip-webhook.
  2. Alternatively, external IPs can be restricted using OPA Gatekeeper. A sample ConstraintTemplate and Constraint can be found here: https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip.