[Security Advisory] [CSI snapshot-controller] CVE-2020-8569: snapshot-controller DoS

(Posting on behalf of Tim Allclair: original post)

Hello Kubernetes Community,

A security issue was discovered in the CSI snapshot-controller that could lead to a denial of service attack via authorized API requests.

This issue has been rated Medium and assigned CVE-2020-8569.

The snapshot-controller is an optional Kubernetes component that enables volume snapshot feature, which is beta in Kubernetes 1.19. It is installed typically as an add-on into a Kubernetes cluster. See https://kubernetes-csi.github.io/docs/snapshot-controller.html for details.

The snapshot-controller could panic when processing a VolumeSnapshot custom resource when:

  • The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass.
  • The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop.

Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.

Am I vulnerable?

You may be vulnerable if:

  • You run Kubernetes CSI snapshot-controller;
  • You are running a vulnerable version (see below);
  • Untrusted users can create VolumeSnapshot custom resources in API group snapshot.storage.k8s.io.

Affected Versions

  • snapshot-controller v3.0.0 - v3.0.1

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by restricting creation of VolumeSnapshot custom resources in API group snapshot.storage.k8s.io only to trusted users.

Fixed Versions

  • snapshot-controller v3.0.2

If you’re using a managed Kubernetes service, check with them on how to upgrade. If you’re managing the snapshot-controller, then update the image to v3.0.2

Detection

The snapshot-controller Pod crashlooping could be an indication of this CVE being exploited. Check the health of the snapshot-controller Deployment and Pods.

If you find evidence that this vulnerability has been exploited, please contact secu…@kubernetes.io

Additional Details

See https://github.com/kubernetes-csi/external-snapshotter/issues/380 for a detailed reproducer and https://github.com/kubernetes-csi/external-snapshotter/pull/381 for a fix.

Acknowledgements

This vulnerability was reported by Qin Ping.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

Correction:
Affected versions include v2.1.0 - v2.1.2. A new version, v2.1.3 has been released with the patch. Please see the previous announcement for issue details and mitigation instructions.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee