| Description | Severity | Notes |
|---|---|---|
Calico Enterprise & Calico OS are vulnerable to pod route hijackingReference: TTA-2022-001 Date published: June 27, 2022 (Updated) |
Medium | N/A |
Description
Customers running Calico Enterprise and Calico OS are vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker is able to set a floating IP annotation to a pod even if the feature is not enabled. This allows the attacker to intercept and reroute traffic to their compromised pod.
CVE-2022-28224 has been assigned to this vulnerability.
Severity
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
The validation on using floating IP can be bypassed by annotating the pod directly after pod creation. The routing will be reverted when the annotated pod is destroyed or the annotation is removed. This vulnerability requires the Kubernetes RBAC permission of [“patch”, “pods”], [“patch”, “pods/status”] or [“update”, “pods/status”] to annotate pods.
With sufficient permission, an attacker can set annotation to a target pod using the following command:
kubectl annotate pod/<pod-name> cni.projectcalico.org/floatingIPs="[\"<target-ip>\"]"
Where <pod-name> is the victim pod the attacker wants to affect and <target-ip> is the attacker controlled destination to forward the traffic to.
Affected Releases
- Calico Enterprise v3.12 and below
- Calico OS v3.22 and below
Indicators of Impact/Compromise
Review running pods and identify if floatingIP annotations are present. Floating IP is disabled by default.
To check if floating IP is enabled, refer to the calico-config ConfigMap. In the “cni_network_config” section, within the “feature_control” plugin, review if “floating_ips” is set to “true”.
An example of a ConfigMap with floating IP being enabled:
cni_network_config: |-
{
"name": "k8s-pod-network",
"cniVersion": "0.3.0",
"plugins": [
{
"type": "calico",
"log_level": "info",
"datastore_type": "kubernetes",
"nodename": "__KUBERNETES_NODE_NAME__",
"mtu": __CNI_MTU__,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s"
},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__"
},
"feature_control": {
"floating_ips": true
}
},
{
"type": "portmap",
"snat": true,
"capabilities": {"portMappings": true}
}
]
}
If floating IP is disabled, review all running pods to check if an annotation was set with the following command:
kubectl get pods -A -oyaml | grep "floatingIPs"
An truncated example of a pod manifest with the affected annotation:
- apiVersion: v1
kind: Pod
metadata:
annotations:
cni.projectcalico.org/containerID: 3902b5aff88e589211fbf017a28a293e58c27cc8bd8b5a4f52c788bd3f004561
cni.projectcalico.org/floatingIPs: 8.8.8.8
cni.projectcalico.org/podIP: 192.168.94.2/32
cni.projectcalico.org/podIPs: 192.168.94.2/32
creationTimestamp: "2022-06-13T20:31:21Z"
generateName: test-app-1-
labels:
app: test-app-1
controller-revision-hash: 5f65c4857b
pod-template-generation: "1"
name: test-pod-7wzxl
namespace: test-ns
If a floating IP annotation is found, an investigation should be done to determine the impact of the compromise.
Workaround / Remediation
Review Kubernetes RBAC and review access to [“patch”, “pods”], [“patch”, “pods/status”] and [“update”, “pods/status”]
Fixed Software
- Calico Enterprise
- V3.13.0 and above
- v3.12.1
- v3.11.4
- Calico OS
- V3.22.2 and above
- v3.21.5
- v.3.20.5
Acknowledgment
We would like to acknowledge Aloys Augustin from Cisco for reporting this issue. We would also like to acknowledge Yuval Avrahami for the additional analysis.
Return to List