CVE-2020-35514 in OpenShift
Summary
by MITRE • 06/02/2021
An insecure modification flaw in the /etc/kubernetes/kubeconfig file was found in OpenShift. This flaw allows an attacker with access to a running container which mounts /etc/kubernetes or has local access to the node, to copy this kubeconfig file and attempt to add their own node to the OpenShift cluster. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects versions before openshift4/ose-machine-config-operator v4.7.0-202105111858.p0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/05/2021
The vulnerability identified as CVE-2020-35514 represents a critical security flaw within the OpenShift container platform that stems from improper file permissions and access controls surrounding the kubeconfig file. This file contains essential authentication credentials and cluster configuration details that govern access to the Kubernetes API server. The flaw exists in the machine config operator component of OpenShift, specifically in versions prior to v4.7.0-202105111858.p0, where the system fails to properly secure the kubeconfig file located at /etc/kubernetes/kubeconfig. The insecure modification flaw allows unauthorized entities to gain access to this sensitive configuration file through container mounting or local node access, creating a significant attack vector for privilege escalation and cluster compromise.
The technical implementation of this vulnerability exploits the fundamental principle of least privilege by failing to enforce proper access controls on the kubeconfig file. When containers mount the /etc/kubernetes directory or when an attacker gains local access to a node, they can copy the kubeconfig file which contains administrative credentials and cluster connection parameters. This file typically includes client certificates, token information, and API server endpoints that provide full administrative access to the Kubernetes cluster. The flaw enables attackers to potentially add their own nodes to the cluster, effectively allowing them to extend the cluster's infrastructure under their control, which directly violates the integrity and availability of the system.
The operational impact of CVE-2020-35514 extends beyond simple credential theft, creating a comprehensive threat to all three pillars of the CIA triad. From a confidentiality perspective, attackers can access sensitive cluster information including pod configurations, secrets, and network policies that govern data flow within the cluster. The integrity threat is substantial as attackers can modify cluster configurations, add malicious nodes, or manipulate existing resources to compromise the cluster's operational state. Availability is also at risk since attackers can potentially disrupt cluster operations by adding nodes that consume resources or by manipulating the cluster's node management systems. This vulnerability particularly affects OpenShift clusters where the machine config operator manages node configurations, making it a systemic issue rather than an isolated incident.
This vulnerability maps directly to CWE-732: Incorrect Permission Assignment for Critical Resource, which specifically addresses the assignment of incorrect permissions to critical system resources. The flaw also aligns with ATT&CK technique T1078.004: Valid Accounts - Cloud Accounts, as it enables attackers to leverage legitimate cluster credentials to gain unauthorized access to cluster resources. Additionally, the vulnerability demonstrates characteristics of T1566.001: Phishing - Spearphishing Attachment, as attackers might exploit this flaw through compromised container images or local access to gain initial foothold. The issue is particularly concerning in environments where containers have broad mounting capabilities or where local node access is not properly restricted, as it provides a clear path for attackers to escalate privileges and gain administrative control over the entire cluster infrastructure.
The recommended mitigations for CVE-2020-35514 include immediate upgrade to OpenShift versions v4.7.0-202105111858.p0 or later where the insecure modification flaw has been addressed. Organizations should implement strict access controls on the /etc/kubernetes directory and ensure that only authorized processes can access the kubeconfig file. Container images should be configured with minimal necessary permissions and should not mount sensitive directories unless absolutely required. Network segmentation and pod security policies should be implemented to prevent containers from accessing node-level directories. Additionally, regular auditing of file permissions and access logs should be conducted to detect unauthorized access attempts. The remediation process should also include implementing proper key rotation procedures for cluster credentials and ensuring that all nodes are properly secured against local access by unauthorized users.