Skip to content

CVE-2020-8569: snapshot-controller DoS (NULL pointer dereference) #421

New issue
New issue
Closed
Closed
CVE-2020-8569: snapshot-controller DoS (NULL pointer dereference)#421
Labels
committee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.sig/storageCategorizes an issue or PR as relevant to SIG Storage.
@jsafrane

Description

@jsafrane
jsafrane
opened on Nov 3, 2020

CVSS Rating: TBD

The Kubernetes snapshot-controller has been found to be vulnerable to a denial of service attack via authorized API requests.

The snapshot-controller is an optional Kubernetes component that enables volume snapshot feature, which is beta in Kubernetes 1.17 It is installed typically as an add-on into a Kubernetes cluster. See https://kubernetes-csi.github.io/docs/snapshot-controller.html for details.

The snapshot-controller could dereference a NULL pointer when processing a VolumeSnapshot custom resource when:

  • The VolumeSnapshot referenced a non-existing PersistentVolumeClaim;
  • And the VolumeSnapshot did not reference any VolumeSnapshotClass.

The snapshot-controller crashes and it is automatically restarted by Kubernetes, however, it processes the same VolumeSnapshot custom resource after the restart and crashes again, entering an endless crashloop.

Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.

Am I vulnerable?

You may be vulnerable if:

  • You run Kubernetes CSI snapshot-controller;
  • You are running a vulnerable version (see below);
  • Untrusted users can create VolumeSnapshot custom resources in API group snapshot.storage.k8s.io.

Affected Versions

  • snapshot-controller v2.1.0 - v2.1.2
  • snapshot-controller v3.0.0 - v3.0.1

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by restricting creation of VolumeSnapshot custom resources in API group snapshot.storage.k8s.io only to trusted users.

Fixed Versions

  • snapshot-controller v2.1.3
  • snapshot-controller v3.0.2

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Detection

The snapshot-controller Pod crashlooping could be an indication of this CVE being exploited. Check the health of the snapshot-controller Deployment and Pods.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See #380 for a detailed reproducer and #381 for a fix.

Acknowledgements

This vulnerability was reported by Qin Ping and Jan Šafránek.

/area security
/kind bug
/committee product-security
/sig storage

Metadata

Metadata

Assignees

No one assigned

    Labels

    committee/security-responseDenotes an issue or PR intended to be handled by the product security committee.kind/bugCategorizes issue or PR as related to a bug.sig/storageCategorizes an issue or PR as relevant to SIG Storage.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions