Rancher Security Advisory: CVE-2020-10749 and CVE-2020-8555 reported by Kubernetes

Follow
Table of Contents

Dear Rancher User,

Kubernetes has announced the following two medium-rated vulnerabilities today (01JUN2020):

  • CVE-2020-10749: "IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements."
  • CVE-2020-8555: "Half-Blind SSRF in kube-controller-manager"

TL;DR - are you impacted?

CVE-2020-10749: You are vulnerable if a user able to create containers with CAP_NET_RAW privileges on an affected cluster can then intercept traffic from other containers on the host or from the host itself.

Note: Unless blocked by pod security policies, the default Kubernetes security context runs workloads with a capabilities bounding set that includes CAP_NET_RAW.  Rancher managed RKE clusters leveraging Rancher’s built-in “Restricted” Pod Security Policy are protected from this CVE as it blocks the CAP_NET_RAW capability from normal users.

CVE-2020-8555: You are vulnerable if you meet all three of these conditions:

  1. Your cluster is one of these versions: v1.18.0, v1.17.0 - v1.17.4, v1.16.0 - v1.16.8, < v1.15.11
  2. Users can create pods with the built-in GlusterFS, Quobyte, StorageFS, or ScaleIO volumes types or they can create or modify storage classes.
  3. There are unprotected endpoints that should only be visible from your Kubernetes master nodes (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the master’s private network)

The result is that the users mentioned in condition 2 are able to make requests to the unprotected endpoints mentioned in condition 3. For example, if your cluster’s master nodes are deployed in a cloud that exposes host metadata at the 169.254.169.254, users would be able to craft a pod creation requests that accessed and exposed that metadata.


Details

CVE-2020-10749

#kubernetes-announce post here.

This vulnerability affects the following container networking implementations (see table below).  Fixed versions of the containernetworking CNI plugins are available.  Rancher is planning on making new releases this week that have updated system images for the updated CNI Plugins.

Container Networking Provider Rancher Resolution

Docker

  • CVE-2020-13401
  • Docker versions prior to 19.03.11
  • Issue addressed in v19.03.11 
Added support for Docker v19.03.11 

containernetworking/plugins (and derived)

Flannel Networking updated to the latest flannel CNI plugin

  • rancher/flannel-cni:v0.3.0-rancher6

Canal Networking updated to Calico v3.13.4 or Calico v3.8.9 and updated to the latest flannel CNI plugin

Calico and Calico Enterprise

Calico Networking updated to 3.13.4 or Calico v3.8.9

Weave Net

  • Acknowledged in versions prior to version v2.6.3.
  • Issue addressed in Weave v2.6.3+
Weave Networking updated to v2.6.4

CVE-2020-8555

#kubernetes-announce post here.

This vulnerability has been patched in the following versions of Kubernetes:

  • v1.18.1+
  • v1.17.5+
  • v1.16.9+

How to mitigate?

New Rancher releases addressing CVE-2020-10749 and CVE-2020-8555

This communication is to let you know of the Rancher releases that are being made available this week to enable you to upgrade your clusters to the new Rancher-patched Kubernetes versions that address these vulnerabilities. The new Rancher releases are:

  • Rancher v2.4.4 (RKE CLI v1.1.2): supports the following new Kubernetes versions, for RKE clusters launched by Rancher:
    • v1.17.6-rancher2-1
    • v1.16.10-rancher2-1
    • v1.15.12-rancher2-2
  • Rancher v2.3.8 (RKE CLI v1.0.9)supports the following new Kubernetes versions, for RKE clusters launched by Rancher:
    • v1.17.6-rancher2-1
    • v1.16.10-rancher2-1
    • v1.15.12-rancher2-2
  • Rancher v2.2.13 (RKE CLI v0.2.11): supports the following new Kubernetes versions, for RKE clusters launched by Rancher:
    • v1.15.12-rancher1-1

For K3S users

CVE-2020-10749 is being addressed by upgrading the version of the https://github.com/containernetworking/plugins library used by k3s to v0.8.6. See the following PRs for reference:

CVE-2020-8555 was patched in the following versions of Kubernetes: v1.18.1+, v1.17.5+, v1.16.9+. Thus, this vulnerability is already patched in the K3s releases:

  • v1.18.2+k3s1
  • v1.17.5+k3s1
  • v1.16.9+k3s1

To ensure you have the latest stable version of Kubernetes for each release when upgrading to address these CVEs, we'll be releasing the following:

  • v1.18.3+k3s1
  • v1.17.6+k3s1
  • v1.16.10+k3s1

These releases will contain patches for both CVEs.

For RancherOS users

Rancher plans to ship the next maintenance release of RancherOS, likely to ship as v1.5.6, this week that is validated for Docker v19.03.11.

To address both the CVEs, yes, upgrade is required for all three: RancherOS, K8s, and Rancher.

For users who are only concerned with Docker CVE 2020-13401, which is the Docker-specific version of CVE-2020-10749, it should suffice to just upgrade RancherOS.

For users of legacy and post-EOL versions of Rancher and Kubernetes

  • The scope of this communication does not include Rancher v1.6.x.  Kubernetes v1.12.7 is the highest version that is supported in Rancher v1.6.x.  For specific questions about your Rancher v1.6.x / K8s environment, please file a support ticket so that we can offer guidance contextually.
  • Users of Rancher v2.0.x and v2.1.x (both of which have reached their EOL milestones), the Kubernetes CVEs have been patched in versions v1.17.x, v1.16.x and v1.15.x only.  These are Kubernetes versions not supported by Rancher v2.0.x and v2.1.x

Questions?

Simply submit a request via this portal referencing this article and we will track and respond to your question as a support ticket.

Thanks,

Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.