Allele Security Alert
ASA-2019-00162
Identifier(s)
ASA-2019-00162, CVE-2019-9946
Title
Security issue allows traffic to be processed by HostPort/portmap rather than by KUBE-SERVICES
Vendor(s)
Cloud Native Computing Foundation
Product(s)
Kubernetes
Affected version(s)
Kubernetes versions prior to 1.11.9
Kubernetes versions prior to 1.12.7
Kubernetes versions prior to 1.13.5
Kubernetes versions prior to 1.14.0
Fixed version(s)
Kubernetes version 1.11.9
Kubernetes version 1.12.7
Kubernetes version 1.13.5
Kubernetes version 1.14.0
Proof of concept
Unknown
Description
A security issue was discovered with interactions between the CNI (Container Networking Interface) portmap plugin versions prior to 0.7.5 and Kubernetes. The CNI portmap plugin is embedded into Kubernetes releases so new releases of Kubernetes are required to fix this issue.
Technical details
Before this fix the ‘portmap’ plugin, used to setup HostPorts for CNI, would insert rules at the front of the iptables nat chains; which would take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain.
Switching the portmap plugin to append its rules, rather than prepend, allows traffic to be processed by KUBE-SERVICES rules first. Only if traffic does not match a service will it be considered for HostPorts. This is compatible with the behavior of the legacy ‘kubenet’ network driver.
Credits
Etienne Champetier (Anevia)
Reference(s)
[ANNOUNCE] Security release of Kubernetes affecting certain network configurations with CNI – Releases 1.11.9, 1.12.7, 1.13.5, and 1.14.0 – CVE-2019-9946
https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-affecting-certain-network-configurations-with-cni-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-9946/5713
build/gci: bump CNI version to 0.7.5 – CVE-2019-9946 #75455
https://github.com/kubernetes/kubernetes/pull/75455
Portmap: append, rather than prepend, entry rules – CVE-2019-9946 #269
https://github.com/containernetworking/plugins/pull/269
CVE-2019-9946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946
CVE-2019-9946
https://nvd.nist.gov/vuln/detail/CVE-2019-9946
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 29, 2019