CVE-2019-9946

kubernetes: Incorrect rule injection in CNI portmap plugin

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.

La interfaz de red del contenedor (CNI) de Cloud Native Computing Foundation (CNCF), en su versión 0.7.4, tiene una configuración incorrecta en el firewall de red que afecta a Kubernetes. El plugin "portmat" de la CNI, utilizado para configurar los puertos de host para la CNI, introduce reglas al frente de las cadenas de iptables NAT. Esto tiene la precedencia sobre la cadena KUBE- SERVICES. Debido a esto, la regla HostPort/portmap podría coincidir con el tráfico entrante aunque hubiera un ajuste mejor y reglas de definición del servicio más específicas como NodePorts más adelante en la cadena. Este problema está resuelto en la versión 0.7.5 de CNI y en las versiones 1.11.9, 1.12.7, 1.13.5 y 1.14.0 de Kubernetes.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-23 CVE Reserved
2019-04-02 CVE Published
2024-08-04 CVE Updated
2024-08-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-670: Always-Incorrect Control Flow Implementation
CWE-841: Improper Enforcement of Behavioral Workflow

CAPEC

References (7)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/containernetworking/plugins/pull/269#issuecomment-477683272	2023-11-07
https://security.netapp.com/advisory/ntap-20190416-0002	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHBA-2019:0862	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCN66VYB3XS76SYH567SO7N3I254JOCT	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-9946	2019-11-05
https://bugzilla.redhat.com/show_bug.cgi?id=1692712	2019-11-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cncf Search vendor "Cncf"		Portmap Search vendor "Cncf" for product "Portmap"				< 0.7.5 Search vendor "Cncf" for product "Portmap" and version " < 0.7.5"		container_networking_interface		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				< 1.11.9 Search vendor "Kubernetes" for product "Kubernetes" and version " < 1.11.9"		-		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				>= 1.12.0 < 1.12.7 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.12.0 < 1.12.7"		-		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				>= 1.13.0 < 1.13.5 Search vendor "Kubernetes" for product "Kubernetes" and version " >= 1.13.0 < 1.13.5"		-		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.13.6 Search vendor "Kubernetes" for product "Kubernetes" and version "1.13.6"		beta0		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.14.0 Search vendor "Kubernetes" for product "Kubernetes" and version "1.14.0"		alpha0		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.14.0 Search vendor "Kubernetes" for product "Kubernetes" and version "1.14.0"		alpha1		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.14.0 Search vendor "Kubernetes" for product "Kubernetes" and version "1.14.0"		alpha2		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.14.0 Search vendor "Kubernetes" for product "Kubernetes" and version "1.14.0"		alpha3		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.14.0 Search vendor "Kubernetes" for product "Kubernetes" and version "1.14.0"		beta0		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.14.0 Search vendor "Kubernetes" for product "Kubernetes" and version "1.14.0"		beta1		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.14.0 Search vendor "Kubernetes" for product "Kubernetes" and version "1.14.0"		beta2		Affected
Kubernetes Search vendor "Kubernetes"		Kubernetes Search vendor "Kubernetes" for product "Kubernetes"				1.14.0 Search vendor "Kubernetes" for product "Kubernetes" and version "1.14.0"		rc1		Affected
Netapp Search vendor "Netapp"		Cloud Insights Search vendor "Netapp" for product "Cloud Insights"				-		-		Affected