ASA-2019-00162 – Kubernetes: Security issue allows traffic to be processed by HostPort/portmap rather than by KUBE-SERVICES

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00162

Identifier(s)

ASA-2019-00162, CVE-2019-9946

Title

Security issue allows traffic to be processed by HostPort/portmap rather than by KUBE-SERVICES

Vendor(s)

Cloud Native Computing Foundation

Product(s)

Kubernetes

Affected version(s)

Kubernetes versions prior to 1.11.9
Kubernetes versions prior to 1.12.7
Kubernetes versions prior to 1.13.5
Kubernetes versions prior to 1.14.0

Fixed version(s)

Kubernetes version 1.11.9
Kubernetes version 1.12.7
Kubernetes version 1.13.5
Kubernetes version 1.14.0

Proof of concept

Unknown

Description

A security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes releases so new releases of Kubernetes are required to fix this issue.

Technical details

Before this fix the ‘portmap’ plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.

Switching the portmap plugin to append its rules, rather than prepend, allows traffic to be processed by KUBE-SERVICES rules first. Only if traffic does not match a service will it be considered for HostPorts. This is compatible with the behavior of the legacy ‘kubenet’ network driver.

Credits

Etienne Champetier (Anevia)

Reference(s)

[ANNOUNCE] Security release of Kubernetes affecting certain network configurations with CNI – Releases 1.11.9, 1.12.7, 1.13.5, and 1.14.0 – CVE-2019-9946
https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-affecting-certain-network-configurations-with-cni-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-9946/5713

build/gci: bump CNI version to 0.7.5 – CVE-2019-9946 #75455
https://github.com/kubernetes/kubernetes/pull/75455

Portmap: append, rather than prepend, entry rules – CVE-2019-9946 #269
https://github.com/containernetworking/plugins/pull/269

CVE-2019-9946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946

CVE-2019-9946
https://nvd.nist.gov/vuln/detail/CVE-2019-9946

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.