CVE-2021-20198
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands within running containers on OpenShift bootstrap nodes during cluster installation. It affects OpenShift Container Platform 4 clusters where the installer has anonymous authentication enabled on kubelet port 10250. The flaw enables unauthenticated /exec requests that can compromise data confidentiality, integrity, and system availability.
💻 Affected Systems
- OpenShift Container Platform
- OpenShift Installer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster compromise during installation phase, allowing attackers to execute arbitrary commands in containers, steal sensitive data, modify configurations, and disrupt cluster availability.
Likely Case
Attackers with network access to bootstrap nodes during installation can execute commands in containers, potentially gaining initial foothold for lateral movement within the cluster.
If Mitigated
Limited impact if network segmentation prevents external access to bootstrap nodes and installation completes quickly before attackers can exploit the window.
🎯 Exploit Status
Exploitation requires network access to port 10250 on bootstrap nodes during the installation window. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenShift Installer v0.9.0-master.0.20210125200451-95101da940b0 or later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1920764
Restart Required: Yes
Instructions:
1. Update OpenShift Installer to version v0.9.0-master.0.20210125200451-95101da940b0 or later. 2. Reinstall affected clusters using the updated installer. 3. Verify bootstrap nodes no longer have anonymous authentication enabled on kubelet port 10250.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict network access to bootstrap nodes during installation using firewall rules or network policies
iptables -A INPUT -p tcp --dport 10250 -s <trusted_network> -j ACCEPT
iptables -A INPUT -p tcp --dport 10250 -j DROP
Reduce Installation Window
allMinimize the time bootstrap nodes are online by optimizing installation process and monitoring
🧯 If You Can't Patch
- Implement strict network segmentation to isolate bootstrap nodes from untrusted networks
- Monitor port 10250 access attempts and implement intrusion detection for /exec requests
🔍 How to Verify
Check if Vulnerable:
Check if bootstrap nodes have anonymous authentication enabled: curl -k https://<bootstrap_ip>:10250/exec or examine kubelet configuration during installationCheck Version:
openshift-install versionVerify Fix Applied:
Verify installer version is v0.9.0-master.0.20210125200451-95101da940b0 or later and that bootstrap nodes reject unauthenticated /exec requests📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to kubelet port 10250
- /exec requests from unauthorized sources in kubelet logs
Network Indicators:
- Unusual traffic to port 10250 on bootstrap nodes
- HTTP POST requests to /exec endpoint from unexpected sources
SIEM Query:
source_port:10250 AND (http_method:POST AND http_uri:"/exec")