CVE-2020-35514
📋 TL;DR
This vulnerability allows attackers with access to a container mounting /etc/kubernetes or local node access to copy the kubeconfig file and potentially add unauthorized nodes to the OpenShift cluster. It affects OpenShift versions before 4.7.0-202105111858.p0, compromising confidentiality, integrity, and availability.
💻 Affected Systems
- OpenShift Container Platform
📦 What is this software?
Openshift by Redhat
Openshift by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full cluster control, deploys malicious workloads, exfiltrates sensitive data, and disrupts cluster operations.
Likely Case
Unauthorized node addition leading to resource consumption, lateral movement, and potential data access.
If Mitigated
Limited impact due to existing RBAC controls, network policies, and monitoring preventing successful exploitation.
🎯 Exploit Status
Requires existing access to container or node; exploitation involves file copying and cluster manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: openshift4/ose-machine-config-operator v4.7.0-202105111858.p0 or later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1914714
Restart Required: Yes
Instructions:
1. Update OpenShift to version 4.7.0-202105111858.p0 or later. 2. Apply the machine-config-operator update. 3. Restart affected nodes and containers.
🔧 Temporary Workarounds
Restrict container mounts
linuxPrevent containers from mounting /etc/kubernetes directory
oc adm policy add-scc-to-user restricted -z default -n <namespace>
Enforce RBAC restrictions
linuxLimit node addition permissions to trusted users only
oc policy add-role-to-user edit <trusted-user> -n <namespace>
🧯 If You Can't Patch
- Implement strict container security policies to prevent mounting sensitive directories
- Enforce network segmentation and monitor for unauthorized node addition attempts
🔍 How to Verify
Check if Vulnerable:
Check machine-config-operator version: oc get deployment machine-config-operator -n openshift-machine-config-operator -o jsonpath='{.spec.template.spec.containers[0].image}'Check Version:
oc versionVerify Fix Applied:
Verify version is 4.7.0-202105111858.p0 or later and check that /etc/kubernetes/kubeconfig has proper permissions📡 Detection & Monitoring
Log Indicators:
- Unauthorized node registration attempts in cluster logs
- Unexpected changes to kubeconfig file permissions or content
Network Indicators:
- Unusual API calls to add nodes
- Traffic from unexpected IPs to cluster API
SIEM Query:
source="openshift-audit.log" AND (message="NodeAdded" OR message="kubeconfig")