CVE-2020-35514 - OpenCVE

An insecure modification flaw in the /etc/kubernetes/kubeconfig file was found in OpenShift. This flaw allows an attacker with access to a running container which mounts /etc/kubernetes or has local access to the node, to copy this kubeconfig file and attempt to add their own node to the OpenShift cluster. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects versions before openshift4/ose-machine-config-operator v4.7.0-202105111858.p0.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Openshift

Configuration 1 [-]

OR	cpe:2.3:a:redhat:openshift::::::::
	cpe:2.3:a:redhat:openshift:4.7.0:-::::::

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1914714
https://nvd.nist.gov/vuln/detail/CVE-2020-35514
https://www.cve.org/CVERecord?id=CVE-2020-35514

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2021-06-02T13:22:12

Updated: 2024-08-04T17:02:08.247Z

Reserved: 2020-12-17T00:00:00

Link: CVE-2020-35514

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-02T14:15:09.577

Modified: 2021-06-11T16:42:09.027

Link: CVE-2020-35514

Redhat

Severity : Moderate

Publid Date: 2020-11-05T00:00:00Z

Links: CVE-2020-35514 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC917AC2-DD18-4DD6-80B4-4A1BE1A62D10", "versionEndExcluding": "4.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift:4.7.0:-:*:*:*:*:*:*", "matchCriteriaId": "5D5A79FB-491F-4030-8F6F-C3691F9D7D58", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An insecure modification flaw in the /etc/kubernetes/kubeconfig file was found in OpenShift. This flaw allows an attacker with access to a running container which mounts /etc/kubernetes or has local access to the node, to copy this kubeconfig file and attempt to add their own node to the OpenShift cluster. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects versions before openshift4/ose-machine-config-operator v4.7.0-202105111858.p0."}, {"lang": "es", "value": "Se ha detectado un fallo de modificaci\u00f3n no segura en el archivo /etc/kubernetes/kubeconfig en OpenShift. Este fallo permite a un atacante con acceso a un contenedor en ejecuci\u00f3n que monta el archivo /etc/kubernetes o que tiene acceso local al nodo, copiar este archivo kubeconfig e intentar a\u00f1adir su propio nodo al cl\u00faster de OpenShift. La mayor amenaza de esta vulnerabilidad es la confidencialidad, la integridad, as\u00ed como la disponibilidad del sistema. Este fallo afecta a versiones anteriores a openshift4/ose-machine-config-operator v4.7.0-202105111858.p0"}], "id": "CVE-2020-35514", "lastModified": "2021-06-11T16:42:09.027", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-02T14:15:09.577", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1914714"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Juan Osorio Robles (Red Hat).", "bugzilla": {"description": "openshift/machine-config-operator: /etc/kubernetes/kubeconfig is given incorrect privileges", "id": "1914714", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1914714"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-266", "details": ["An insecure modification flaw in the /etc/kubernetes/kubeconfig file was found in OpenShift. This flaw allows an attacker with access to a running container which mounts /etc/kubernetes or has local access to the node, to copy this kubeconfig file and attempt to add their own node to the OpenShift cluster. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects versions before openshift4/ose-machine-config-operator v4.7.0-202105111858.p0.", "An insecure modification flaw in the /etc/kubernetes/kubeconfig file was found in OpenShift. This flaw allows an attacker with access to a running container which mounts /etc/kubernetes or has local access to the node, to copy this kubeconfig file and attempt to add their own node to the OpenShift cluster. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2020-35514", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-machine-config-operator", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-11-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-35514\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-35514"], "statement": "The kubeconfig file on the node is that of the bootstrap certificate. This means that to successfully exploit this vulnerability, the kubeconfig file must be taken and used within the first 24 hours of creation as it is created with a short expiration time. Otherwise, attempting to use the credentials after this time will result in the following:\n`Failed while requesting a signed certificate from the master: cannot create certificate signing request: Unauthorized`\nFurther, if taken, the certificate signing request (CSR) of the joining rogue OpenShift node is not automatically approved by default. The node still needs to be approved through the use of the commands `oc get csr` and `oc adm certificate approve`.", "threat_severity": "Moderate"}