Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Sep 2021 14:17:55 -0700
From: CJ Cullen <cjcullen@...gle.com>
To: oss-security@...ts.openwall.com
Subject: [kubernetes] CVE-2021-25741: Symlink Exchange Can Allow Host
 Filesystem Access

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user may be able to
create a container with subpath volume mounts to access files & directories
outside of the volume, including on the host filesystem.

This issue has been rated High (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>),
and assigned CVE-2021-25741.
Affected Components and Configurations

This bug affects kubelet.

Environments where cluster administrators have restricted the ability to
create hostPath mounts are the most seriously affected. Exploitation allows
hostPath-like access without use of the hostPath feature, thus bypassing
the restriction.

In a default Kubernetes environment, exploitation could be used to obscure
misuse of already-granted privileges.
Affected Versions

   -

   v1.22.0 - v1.22.1
   -

   v1.21.0 - v1.21.4
   -

   v1.20.0 - v1.20.10
   -

   <= v1.19.14

Fixed Versions

This issue is fixed in the following versions:

   -

   v1.22.2
   -

   v1.21.5
   -

   v1.20.11
   -

   v1.19.15

Mitigation

To mitigate this vulnerability without upgrading kubelet, you can disable
the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove
any existing Pods making use of the feature.

You can also use admission control to prevent less-trusted users from
running containers as root to reduce the impact of successful exploitation.
Detection

If you find evidence that this vulnerability has been exploited, please
contact security@...ernetes.io
Additional Details

See Kubernetes Issue #104980
<https://github.com/kubernetes/kubernetes/issues/104980> for more details.
Acknowledgements

This vulnerability was reported by Fabricio Voznika and Mark Wolters of
Google.

Thanks as well to Ian Coldwater, Duffie Cooley, Brad Geesaman, and Rory
McCune for the thorough security research that led to the discovery of this
vulnerability.

Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.