Threat Research

Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8562

DataDogHQ
Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8562
CVE-2020-8562 is a TOCTOU vulnerability in the Kubernetes API server proxy that can be combined with DNS rebinding to bypass an IP-based filter and reach internal services like the control plane metadata or kube-proxy config endpoints. The issue is most concerning for managed Kubernetes control planes because exploitation requires creating Node objects and using the API server proxy, and mitigations include enforcing minimum DNS TTLs or using Konnectivity. #CVE-2020-8562 #Kubernetes

Keypoints

  • The vulnerability (CVE-2020-8562) exploits a time-of-check to time-of-use (TOCTOU) race in Kubernetes’ API server proxy that performs name resolution twice: once for the security check and once for the proxy request.
  • Kubernetes attempted to block proxy requests to private IPv4 ranges using Golang’s isGlobalUnicast check, but multiple DNS lookups allow an attacker to return different addresses for check vs use.
  • An attacker can use DNS rebinding services (low TTL alternating responses) and a fake Node object whose address is a DNS name to alternate between an allowed IP and a disallowed target such as 127.0.0.1 or 169.254.169.254.
  • Practical exploitation requires privileges to create Node objects and to use the API server proxy, so the biggest risk is to managed control planes where cluster admins should not access control plane networks.
  • Proof-of-concept exploitation involves rapidly repeating proxy requests (e.g., curl loop) to win the timing window and access endpoints bound to localhost like kube-proxy’s configz.
  • Mitigations include configuring DNS resolvers for control plane nodes to enforce a minimum TTL (ignoring remote TTLs) to defeat rebinding and using Konnectivity to keep API server proxy traffic off the control plane network.
  • While not broadly exploitable in many clusters, operators of managed Kubernetes services should consider this a significant risk for control plane exposure and probeability.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – The vulnerability is used as a server-side request forgery/TOCTOU to bypass API server proxy checks and reach internal services (‘…allows attackers to carry out Server-Side Request Forgery (SSRF) attacks on clusters.’ )
  • [T1090 ] Proxy – The Kubernetes API server proxy feature is abused to send requests to workloads or node services inside the cluster, enabling access to localhost-bound endpoints via the control plane (‘…the API server proxy is a feature that helps cluster admins troubleshoot workloads in the cluster and services running on cluster nodes. It can be used to send requests via the API server to any workload or node service in the cluster…’)

Indicators of Compromise

  • [Domain ] DNS rebinder domain used for alternating responses – ac120002.7f000001.rbndr.us (example rebinder domain), rbndr.us (rebinder service).
  • [IP Address ] Target/internal addresses observed in examples – 172.18.0.2 (internal container/network address), 127.0.0.1 (localhost).
  • [Kubernetes Resource ] Fake Node object name used to exploit proxy – fakekindnode (Node.status.address set to a DNS name).
  • [URL / Endpoint ] Proxy request example and target endpoint – http://localhost:8001/api/v1/nodes/fakekindnode:10249/proxy/configz (kube-proxy configz endpoint bound to localhost).
  • [Port ] Service port targeted via proxy – 10249 (kube-proxy configz), and control plane API proxy port 8001 (local API server proxy URL).

Read more: https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8562/