Threat Research

Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8561 | Datadog Security Labs

DataDogHQ
Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8561 | Datadog Security Labs
This article explains CVE-2020-8561, an unpatchable Kubernetes vulnerability that combines an SSRF vector via ValidatingWebhookConfiguration objects with the API server’s profiling endpoints to escalate impact by exposing full responses. The exploit requires valid cluster credentials (typically cluster-admin) to change the API server log level and then trigger webhook-initiated requests to probe internal services. #CVE-2020-8561 #kube-apiserver

Keypoints

  • CVE-2020-8561 chains an SSRF vector in the Kubernetes API server with the API server’s profiling feature to view full SSRF responses.
  • The vulnerability leverages ValidatingWebhookConfiguration objects to make the API server send requests to attacker-specified URLs when matching resources are created or updated.
  • Enabling –profiling (pprof) allows changing the API server log level (e.g., to debug), which reveals webhook response data in logs.
  • An attacker needs valid Kubernetes credentials and elevated permissions (typically cluster-admin) to perform the attack.
  • The attack is more serious when control plane nodes are isolated from worker nodes or run in a cloud provider network (managed Kubernetes), because SSRF from the API server can reach privileged services like cloud metadata APIs.
  • Mitigations include disabling profiling on the API server (set –profiling=false) and designing network architecture so SSRF requests from the API server provide no advantage.

MITRE Techniques

  • [N/A ] No MITRE ATT&CK techniques mentioned – ‘No MITRE ATT&CK techniques are mentioned in the article.’

Indicators of Compromise

  • [IP:Port ] Example target endpoints used in demonstrations – 127.0.0.1:1337, 127.0.0.1:8001
  • [API endpoints / URLs ] API server debug and webhook URLs referenced – http://127.0.0.1:8001/debug/flags/v, https://127.0.0.1:1337
  • [Kubernetes resource names ] Objects used to trigger SSRF – ValidatingWebhookConfiguration (example name: ssrf-demo-webhook), webhook entry ssrf-webhook.ssrf-attacker.example.com
  • [Commands / request examples ] Reproduction commands and manifests – curl -X PUT http://127.0.0.1:8001/debug/flags/v -d “10”, sample ValidatingWebhookConfiguration manifest (clientConfig.url set to target)

Read more: https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8561/