CVE-2020-15127

In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint is accessible to anyone on the network that can reach the Kubernetes node that's running Envoy. There is no authentication in place that prevents a rogue actor on the network from shutting down Envoy via the shutdown manager endpoint. Successful exploitation of this issue will lead to bad actors shutting down all instances of Envoy, essentially killing the entire ingress data plane. This is fixed in version 1.7.0.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/projectcontour/contour/releases/tag/v1.7.0	Release Notes Third Party Advisory
https://github.com/projectcontour/contour/security/advisories/GHSA-mjp8-x484-pm3r	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:projectcontour:contour:*:*:*:*:*:kubernetes:*:*

History

No history.

Information

Published : 2020-08-05 21:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-15127

Mitre link : CVE-2020-15127

CVE.ORG link : CVE-2020-15127

JSON object : View

Products Affected

projectcontour

contour

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2020-15127", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-08-05T21:15:12.350", "references": [{"url": "https://github.com/projectcontour/contour/releases/tag/v1.7.0", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/projectcontour/contour/security/advisories/GHSA-mjp8-x484-pm3r", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint is accessible to anyone on the network that can reach the Kubernetes node that's running Envoy. There is no authentication in place that prevents a rogue actor on the network from shutting down Envoy via the shutdown manager endpoint. Successful exploitation of this issue will lead to bad actors shutting down all instances of Envoy, essentially killing the entire ingress data plane. This is fixed in version 1.7.0."}, {"lang": "es", "value": "En Contour (Controlador de ingreso para Kubernetes) anterior a la versi\u00f3n 1.7.0, un actor malo puede cerrar todas las instancias de Envoy, esencialmente eliminando todo el plano de entrada de datos. Las peticiones GET hacia /shutdown en el puerto 8090 del pod Envoy inician el procedimiento de apagado de Envoy. El procedimiento de apagado incluye cambiar el endpoint readiness a falso, lo que elimina a Envoy del grupo de enrutamiento. Cuando se ejecuta Envoy (por ejemplo, en la red host, pod especifica hostNetwork=true), el endpoint del administrador de cierre es accesible para cualquier persona en la red que pueda alcanzar el nodo Kubernetes que ejecuta Envoy. No existe una autenticaci\u00f3n que impida a un actor malicioso de la red cerrar Envoy por medio del endpoint del administrador de cierre. Una explotaci\u00f3n con \u00e9xito de este problema llevar\u00e1 a que los actores malos cierren todas las instancias de Envoy, esencialmente eliminando todo el plano de datos de ingreso. Esto es corregido en la versi\u00f3n 1.7.0"}], "lastModified": "2020-08-12T13:30:33.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:projectcontour:contour:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "BBB4F1FC-CACA-4230-BC7A-813BB0B1C08F", "versionEndExcluding": "1.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}