Two security issues were discovered in Kubernetes and disclosed on March 23, 2020 that could lead to a recoverable denial of service in a Kubernetes cluster.
CVE-2020-8552 affects the API server, which is the cluster’s gateway component for receiving, authenticating, authorizing and processing administration requests on the cluster. This vulnerability has been rated Medium. The vulnerability may cause Denial of Service (DoS) by consuming the memory of the API server and thus killing it. If an attacker can make an authorized resource request to an unpatched A
PI server, then the cluster is vulnerable. Prior to Kubernetes v1.14, this was possible via unauthenticated requests by default. Since the cluster’s API server is accessible from outside the cluster as well as from workloads within it, it is possible that an attacker may try to exploit this vulnerability from the internet.
The vulnerability affects:
- kube-apiserver v1.17.0 – v1.17.2
- kube-apiserver v1.16.0 – v1.16.6
- kube-apiserver < v1.15.10
CVE-2020-8551 affects the kubelet, which is the Kubernetes components controlling resources on a node. This vulnerability has been rated Medium. The vulnerability may cause Denial of Service by consuming the memory of a kubelet and thus killing it. The Kubelet has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250. It is likely that this can only be exploitable from within the cluster by an attacker who already got a foothold there, for example by compromising a workload accessible from the Internet or being able to deploy a workload there.
The vulnerability affects:
- kubelet v1.17.0 – v1.17.2
- kubelet v1.16.0 – v1.16.6
- kubelet v1.15.0 – v1.15.10
- kubelets prior to v1.15.0 are unaffected
Both vulnerabilities are patched in Kubernetes versions:
Prior to upgrading, these vulnerabilities can be mitigated by preventing unauthenticated or unauthorized access to the affected components, and auto-restarting the API-server and kubelet in the event of an out-of-memory error.
The Kubernetes API Server logs every request it receives in its audit log. Alcide kAudit automatically monitors and analyzes these audit logs and can detect anomalous behavior that is associated with attempts to exploit vulnerabilities in the API-server. Therefore, the Alcide kAudit can alert Security and DevOps teams of suspicious attempts to access their clusters, either to scan for potential vulnerabilities or to exploit them. Similarly, Alcide Runtime detects anomalous access to the Kubelet, and can alert Security and DevOps teams of suspicious attempts to access the Kubelet API.
Since these Kubernetes vulnerabilities were published on March 23, Alcide kAudit services monitoring several Kubernetes clusters have detected regular scans from the Internet to find vulnerable APIs, as often happens, but no increase in attempts that could be associated with attempts to exploit vulnerability CVE-2020-8552.