CVE-2020-8559

This is a security vulnerability of the kube-apiserver component. An attacker can intercept certain upgrade requests sent to the node kubelet, and forward the request to other target nodes through the original access credentials in the request that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Scope

Since kube-apiserver allows the request to be propagated back to the source client in the proxied upgrade request, the attacker can intercept certain upgrade requests sent to the node kubelet, and then use the original access credentials in the request to forward requests to other target nodes, resulting in a privilege escalation vulnerability on the attacked node.

CVSS scores

This vulnerability is rated as medium-risk with a CVSS score of 6.4. If multiple clusters share the same CA and authentication credentials, an attacker can use this vulnerability to attack other clusters. In this case, it is a high-risk vulnerability.

Prevention

For cross-node attacks in the cluster, it is recommended that you take the following preventative measures:

• Timely revoke kubeconfig credentials that may cause leakage potentially, and follow the least principle of minimum permissions to converge unnecessary pods/exec, pods/attach, pods/portforward and proxy resource models with the RBAC permission.

Fixed by official

• v1.18.6
• v1.17.9
• v1.16.13

Fixed by KLTS

• v1.15.12-lts.1 kubernetes/kubernetes#92971
• v1.14.10-lts.1 kubernetes/kubernetes#92971
• v1.13.12-lts.1 TODO
• v1.12.10-lts.1 TODO
• v1.11.10-lts.1 TODO
• v1.10.13-lts.1 TODO