CVE-2021-25740 affects Kubernetes clusters where users who can modify Endpoint or EndpointSlice objects can redirect shared ingress or LoadBalancer traffic to unauthorized pods in another namespace. The issue highlights a multi-tenant networking weakness in Kubernetes and can be mitigated by avoiding shared load balancers, using Gateway API, and restricting direct user access to EndpointSlice objects. #CVE-2021-25740 #EndpointSlice #GatewayAPI #Kubernetes
Keypoints
- Kubernetes CVE-2021-25740 allows traffic redirection by abusing Endpoint or EndpointSlice objects.
- The flaw impacts clusters that use shared ingress or LoadBalancer services in multi-tenant environments.
- Users with permission to edit EndpointSlice objects can point service traffic to endpoints in another tenantβs namespace.
- The attack can bypass network policies because the load balancer must retain access to multiple namespaces.
- The article explains how Kubernetes Services rely on EndpointSlices to map service traffic to pod IP addresses.
- Mitigations include avoiding shared load balancers, adopting Gateway API, and removing direct user write access to EndpointSlice objects.
- The article closes by noting that these unpatchable Kubernetes issues are architecture-dependent and tied to cluster threat models.
MITRE Techniques
- [T1090 ] Proxy β Shared ingress/load balancer traffic is redirected through manipulated service backends to reach unintended targets (βthe load balancer will send requests β¦ on to the victim deploymentβ).
- [T1611 ] Escape to Host β Not mentioned directly in the article.
Indicators of Compromise
- [CVE identifier ] vulnerability reference β CVE-2021-25740
- [Kubernetes resource names ] example service and workload names used in the explanation β nginx, attacker-service
- [IP addresses ] EndpointSlice examples showing cluster and pod addresses β 172.18.0.2, 10.244.0.6, and 2 more IPs
- [Container image ] example deployment image β nginx:1.27
Read more: https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2021-25740/