Are your K8s clusters exposed to the K8s Symlink vulnerability (CVE-2021-25741)
Sep 20, 2021
OverviewA new HIGH severity vulnerability was found in Kubernetes in which users may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. The issue is affecting the Kubelet component of Kubernetes (Kubelet is the primary "node agent" that runs on each node. It registers the node with the apiserver and launches PODs on it). The issue was first reported by Fabricio Voznika and Mark Wolters of Google and posted to Github on Sep 13, 2021 (https://github.com/kubernetes/kubernetes/issues/104980 ). This vulnerability allows attackers to abuse subPath property of the volumeMounts and access the entire host file system without using the hostPath feature originally intended for this capability.
MitigationThe best way to avoid being affected is to completely disable VolumeSubPath functionality using --feature-gates=”VolumeSubPath=false” parameter of the Kubelet and the apiserver.
How to know if your cluster is affectedSince PODs, which utilizing the subPath, can potentially exploit this vulnerability, checking whether you are running a vulnerable version of Kubelet and whether you have PODs in your cluster that are utilizing this functionality would be key to understanding if your K8s is exposed to this threat. To help K8s users understand if their K8s clusters are exposed to CVE-2021-25741, we have added a new feature to Kubescape - an open-source tool built to identify potential security issues in Kubernetes configuration. It now checks if your K8s clusters are exposed to CVE-2021-25741 and verify that there are no pods in the cluster that attempt to use subPath function. Simply install Kubescape from github https://github.com/armosec/kubescape and run the default set of tests including a test for this specific vulnerability. the results will appear in seconds - You can also see exactly which PODs are the ones that are contributing to the exposure in the tool output: You can also log in to the provided URL at the end of the scan and see all results in a full report with options for mitigations, managing alerts and exposure over time: