CNI security vulnerability in older AKS clusters and mitigation steps
Published date: 01 June, 2020
A security vulnerability has been identified in the container networking implementation (CNI) in CNI plugin versions v0.8.6 and older that may affect older AKS clusters (CVE-2020-10749).
An AKS cluster configured to use an affected container networking implementation is susceptible to man-in-the-middle (MitM) attacks. By sending “rogue” router advertisements, a malicious container can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker-controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.
This vulnerability has been given an initial severity of Medium with a score of 6.0.
Vulnerability analysis and verification
All AKS clusters created or upgraded with a Node Image Version later or equal than “2019.04.24” are not vulnerable, as they set net.ipv6.conf.all.accept_ra to 0 and enforce TLS with proper certificate validation.
Clusters created or last upgraded before that date are susceptible to this vulnerability.
You can verify if your current Node Image is vulnerable by running: https://aka.ms/aks/MitM-check-20200601 on a machine that has CLI access to the cluster’s nodes.
Windows nodes are not affected by this vulnerability.
If you identify nodes that are vulnerable, you can mitigate the vulnerability by performing a cluster upgrade using the following command:
$ az aks upgrade -n <cluster name> -g <cluster resource group> -k <newer supported kubernetes version>.
In addition, a permanent fix for this CVE is available at: https://github.com/containernetworking/plugins/releases/tag/v0.8.6 . AKS is rolling out this fix on the most recent VHD version.