CVE-2020-8558
published 2020-07-27CVE-2020-8558: The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent…
PriorityP351high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
3.60%
88.0th percentile
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.18.5-1 (bookworm) | kubernetes 1.18.5-1 (bookworm) |
| k8s.io | kubernetes | >= 0 < 1.16.11 | 1.16.11 |
| k8s.io | kubernetes | >= 1.17.0 < 1.17.7 | 1.17.7 |
| k8s.io | kubernetes | >= 1.18.0 < 1.18.4 | 1.18.4 |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | >= 0 < 1.18.5-1 | 1.18.5-1 |
| kubernetes | kubernetes | >= 0 < 1.18.5-1 | 1.18.5-1 |
| kubernetes | kubernetes | >= 0 < 1.18.5-1 | 1.18.5-1 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.8MEDIUMAV:A/AC:L/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kubernetes: node localhost services reachable via martian packets
vendor_redhat·2020-07-08·CVSS 5.4
CVE-2020-8558 [MEDIUM] CWE-300 kubernetes: node localhost services reachable via martian packets
kubernetes: node localhost services reachable via martian packets
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.
A flaw was found in Kubernetes that allows attackers on adjacent networks to reach services exposed on localhost ports, previously thought to be unreachable. This flaw allows an attacker to gain privileges or access confid
Debian
CVE-2020-8558: kubernetes - The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, ...
vendor_debian·2020·CVSS 5.4
CVE-2020-8558 [MEDIUM] CVE-2020-8558: kubernetes - The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, ...
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.
Scope: local
bookworm: resolved (fixed in 1.18.5-1)
bullseye: resolved (fixed in 1.18.5-1)
forky: resolved (fixed in 1.18.5-1)
sid: resolved (fixed in 1.18.5-1)
trixie: resolved (fixed in 1.18.5-1)
OSV
Improper Authentication in Kubernetes in k8s.io/kubernetes
osv·2024-08-21
CVE-2020-8558 Improper Authentication in Kubernetes in k8s.io/kubernetes
Improper Authentication in Kubernetes in k8s.io/kubernetes
Improper Authentication in Kubernetes in k8s.io/kubernetes
GHSA
Improper Authentication in Kubernetes
ghsa·2022-02-15
CVE-2020-8558 [HIGH] CWE-420 Improper Authentication in Kubernetes
Improper Authentication in Kubernetes
A security issue was discovered in the Kubelet and kube-proxy components of Kubernetes which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. For example, if a cluster administrator runs a TCP service on a node that listens on 127.0.0.1:1234, because of this bug, that service would be potentially reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. If the example service on port 1234 required no additional authentication (because it assumed that only other localhost processes could reach it), then it could be vulnerable to attacks that make use of this bug.
OSV
Improper Authentication in Kubernetes
osv·2022-02-15
CVE-2020-8558 [HIGH] Improper Authentication in Kubernetes
Improper Authentication in Kubernetes
A security issue was discovered in the Kubelet and kube-proxy components of Kubernetes which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. For example, if a cluster administrator runs a TCP service on a node that listens on 127.0.0.1:1234, because of this bug, that service would be potentially reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. If the example service on port 1234 required no additional authentication (because it assumed that only other localhost processes could reach it), then it could be vulnerable to attacks that make use of this bug.
OSV
CVE-2020-8558: The Kubelet and kube-proxy components in versions 1
osv·2020-07-27·CVSS 8.8
CVE-2020-8558 [HIGH] CVE-2020-8558: The Kubelet and kube-proxy components in versions 1
The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-8558 origin: kubernetes: node localhost services reachable via martian packets [fedora-all]
bugzilla·2020-07-15·CVSS 5.4
CVE-2020-8558 [MEDIUM] CVE-2020-8558 origin: kubernetes: node localhost services reachable via martian packets [fedora-all]
CVE-2020-8558 origin: kubernetes: node localhost services reachable via martian packets [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mult
Bugzilla
CVE-2020-8558 kubernetes: node localhost services reachable via martian packets
bugzilla·2020-06-03·CVSS 5.4
CVE-2020-8558 [MEDIUM] CVE-2020-8558 kubernetes: node localhost services reachable via martian packets
CVE-2020-8558 kubernetes: node localhost services reachable via martian packets
Kubernetes' kube-proxy enables net.ipv4.conf.all.route_localnet by default on all nodes. This allows neighbouring hosts on the local network to reach ports on Kubernetes nodes that are only exposed on localhost.
Discussion:
Upstream Issue:
https://github.com/kubernetes/kubernetes/issues/90259
---
Upstream Fix:
https://github.com/kubernetes/kubernetes/pull/91569
---
Statement:
OpenShift Container Platform does not expose the API server on a localhost port without authentication. The only service exposed on a localhost port not protected by authentication is Metrics, which exposes some cluster metadata.
---
External References:
https://groups.google.com/g/kubernetes-security-announce/c/B1VegbBDMTE
-
Unit42
Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
blogs_unit42·2020-07-27·CVSS 5.4
CVE-2020-8558 [MEDIUM] Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
Threat Research Center
Threat Research
Vulnerabilities
## Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
Yuval Avrahami
Ariel Zelivansky
Published: July 27, 2020
Threat Research
Vulnerabilities
CVE-2020-8558
Kubernetes
## Executive Summary
A security issue assigned CVE-2020-8558 was recently discovered in the kube-proxy, a networking component running on Kubernetes nodes. The issue exposed internal services of Kubernetes nodes, often run without authentication. On certain Kubernetes deployments, this could have exposed the api-server, allowing an unauthenticated attacker to gain complete control over the cluster. An attacker with this sort of access could steal information, deploy crypto miners or remove existing services altogether.
The vulnera
Unit42
Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
blogs_unit42·2020-07-27·CVSS 5.4
CVE-2020-8558 [MEDIUM] Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
## Executive Summary
A security issue assigned CVE-2020-8558 was recently discovered in the kube-proxy, a networking component running on Kubernetes nodes. The issue exposed internal services of Kubernetes nodes, often run without authentication. On certain Kubernetes deployments, this could have exposed the api-server, allowing an unauthenticated attacker to gain complete control over the cluster. An attacker with this sort of access could steal information, deploy crypto miners or remove existing services altogether.
The vulnerability exposed nodes’ localhost services – services meant to be accessible only from the node itself – to hosts on the local network and to pods running on the node. Localhost bound services expect that only trusted, local processes can interact with them, and t
https://github.com/kubernetes/kubernetes/issues/92315https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJhttps://security.netapp.com/advisory/ntap-20200821-0001/https://github.com/kubernetes/kubernetes/issues/92315https://groups.google.com/g/kubernetes-announce/c/sI4KmlH3S2I/m/TljjxOBvBQAJhttps://security.netapp.com/advisory/ntap-20200821-0001/
2020-07-27
Published