CVE-2020-8566 in kube-controller-manager
Summary
by MITRE • 12/08/2020
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/13/2020
The vulnerability identified as CVE-2020-8566 represents a critical information disclosure flaw within Kubernetes clusters that utilize Ceph RBD (Remote Block Device) storage provisioners. This security weakness specifically manifests when clusters operate with logging levels set to at least level 4, which is considered a verbose logging configuration. The issue stems from the improper handling of sensitive administrative credentials during the dynamic provisioning process of Ceph RBD persistent volumes, creating a direct pathway for credential exposure in cluster logs.
The technical flaw occurs within the kube-controller-manager component of Kubernetes, which is responsible for managing the cluster's control plane operations including storage provisioning. When Ceph RBD persistent volume claims are created, the system writes administrative secrets used for authentication with the Ceph storage cluster directly to the logging output. This logging behavior is particularly dangerous because it bypasses normal security controls and access restrictions that typically protect sensitive credentials. The vulnerability affects multiple Kubernetes versions including those prior to 1.19.3, 1.18.10, and 1.17.13, indicating it was present across several major release lines and had significant impact potential.
The operational impact of this vulnerability is severe as it provides attackers with direct access to administrative credentials that can be used to compromise the entire Ceph storage infrastructure. These credentials typically grant full administrative privileges to the Ceph cluster, allowing unauthorized parties to modify storage configurations, access sensitive data, or even delete storage resources. The exposure occurs during normal provisioning operations, meaning that legitimate cluster activities inadvertently create the attack surface. This creates a persistent risk where any user with access to cluster logs can extract these credentials, potentially leading to data breaches or storage system compromise. The vulnerability aligns with CWE-209, which addresses information exposure through error handling, and represents a classic case of credential leakage in log files.
Mitigation strategies for CVE-2020-8566 primarily involve upgrading affected Kubernetes clusters to versions that contain the fix, specifically Kubernetes v1.19.3, v1.18.10, or v1.17.13. Organizations should also implement immediate operational controls including reducing logging verbosity levels to prevent credential exposure, implementing log filtering mechanisms to remove sensitive data from logs, and establishing proper access controls for cluster logging systems. Additionally, organizations should consider implementing secrets management solutions that do not rely on logging credentials and should regularly audit their logging configurations to ensure sensitive information is not inadvertently exposed. The ATT&CK framework categorizes this vulnerability under T1562.001, which deals with disabling or modifying tools, as attackers could use these credentials to modify storage systems or disable security controls. Organizations should also implement monitoring solutions to detect unauthorized access to cluster logs and establish incident response procedures for credential exposure events.