September 20, 2021

Use Kubescape to check if your Kubernetes clusters are exposed to the latest K8s Symlink vulnerability (CVE-2021-25741)

Shauli Rozen

CEO & Co-founder

Overview

A new HIGH severity vulnerability was found in Kubernetes in which users may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. The issue is affecting the Kubelet component of Kubernetes (Kubelet is the primary "node agent" that runs on each node. It registers the node with the apiserver and launches PODs on it).

The issue was first reported by Fabricio Voznika and Mark Wolters of Google and posted to Github on Sep 13, 2021 (https://github.com/kubernetes/kubernetes/issues/104980 ).

This vulnerability allows attackers to abuse subPath property of the volumeMounts and access the entire host file system without using the hostPath feature originally intended for this capability.


Mitigation

The best way to avoid being affected is to completely disable VolumeSubPath functionality using --feature-gates=”VolumeSubPath=false” parameter of the Kubelet and the apiserver.

How to know if your cluster is affected

Since PODs, which utilizing the subPath, can potentially exploit this vulnerability, checking whether you are running a vulnerable version of Kubelet and whether you have PODs in your cluster that are utilizing this functionality would be key to understanding if your K8s is exposed to this threat.

To help K8s users understand if their K8s clusters are exposed to CVE-2021-25741, we have added a new feature to Kubescape - an open-source tool built to identify potential security issues in Kubernetes configuration. It now checks if your K8s clusters are exposed to CVE-2021-25741 and verify that there are no pods in the cluster that attempt to use subPath function.

Simply install Kubescape from github https://github.com/armosec/kubescape and run the default set of tests including a test for this specific vulnerability.

 the results will appear in seconds -


You can also see exactly which PODs are the ones that are contributing to the exposure in the tool output:


You can also log in to the provided URL at the end of the scan and see all results in a full report with options for mitigations, managing alerts and exposure over time:

Go Back to Blog

Heading

What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.

Static and dynamic content editing

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

How to customize formatting for each rich text

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

Go Back to Blog