Azure Kubernetes Service: Privilege escalation from compromised node to cluster (CVE-2020-8559)

Published date: September 01, 2020

If an attacker is able to intercept certain requests to the Kubelet within Azure Kubernetes Service (AKS), they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes.

If multiple clusters share the same certificate authority trusted by the client, and the same authentication credentials, this vulnerability may allow an attacker to redirect the client to another cluster. In this configuration, this vulnerability should be considered High severity.

Am I vulnerable?

You are only affected by this vulnerability if you treat the node as a security boundary, since clusters in AKS do not share certificate authorities and authentication credentials.

Note that this vulnerability requires an attacker to first compromise a node through separate means.

Affected ** Upstream ** Versions

  • kube-apiserver v1.18.0-1.18.5
  • kube-apiserver v1.17.0-1.17.8
  • kube-apiserver v1.16.0-1.16.12
  • all kube-apiserver versions prior to v1.16.0

Affected ** AKS ** Versions

AKS patches all GA kubernetes versions control plane components automatically.

  • kube-apiserver <v1.18.6
  • kube-apiserver <v1.17.7
  • kube-apiserver <v1.16.10
  • and all kube-apiserver versions prior to v1.15.11

How do I mitigate this vulnerability?

AKS will patch the control planes of its GA versions automatically. If you're on an AKS GA version no action is required.
If you're not in an AKS GA version please upgrade.

Click here for full details, including list of version impacted and mitigation steps.

  • Azure Kubernetes Service (AKS)
  • Security