CVE-2021-20206 – This vulnerability in containernetworking/cni a... (How to Fix)

Q: What is the severity of CVE-2021-20206?

CVE-2021-20206 has a CVSS score of 7.2 (HIGH). This vulnerability in containernetworking/cni allows attackers to execute arbitrary system binaries by using path traversal sequences (like '../') in the 'type' field of network configurations. It affects systems using CNI plugins versions before 0.8.1, potentially compromising container orchestration platforms like Kubernetes.

📋 TL;DR

This vulnerability in containernetworking/cni allows attackers to execute arbitrary system binaries by using path traversal sequences (like '../') in the 'type' field of network configurations. It affects systems using CNI plugins versions before 0.8.1, potentially compromising container orchestration platforms like Kubernetes.

💻 Affected Systems

Products:

containernetworking/cni
Kubernetes (when using vulnerable CNI plugins)
OpenShift
other container platforms using CNI

Versions: All versions before 0.8.1

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when using CNI network plugins with user-provided or untrusted network configurations.

📦 What is this software?

Container Network Interface by Linuxfoundation

View all CVEs affecting Container Network Interface →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing execution of privileged binaries like 'reboot' or 'shutdown', leading to complete system availability loss and potential data destruction.

🟠

Likely Case

Container escape leading to execution of unauthorized binaries on the host system, potentially enabling privilege escalation or lateral movement.

🟢

If Mitigated

Limited to container namespace with proper security controls, preventing host system access.

🌐 Internet-Facing: MEDIUM - Requires access to container orchestration API or configuration management, but could be exploited through exposed management interfaces.

🏢 Internal Only: HIGH - Internal attackers with container deployment privileges can easily exploit this to compromise host systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to modify CNI network configurations, typically requiring container deployment privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.1 and later

Vendor Advisory: https://github.com/containernetworking/cni/releases/tag/v0.8.1

Restart Required: Yes

Instructions:

1. Update CNI plugins to version 0.8.1 or later. 2. Restart all containers and container runtime. 3. Verify network configurations no longer contain path traversal sequences.

🔧 Temporary Workarounds

Restrict CNI configuration permissions

linux

Limit who can create or modify CNI network configurations to prevent unauthorized path traversal injection.

chmod 600 /etc/cni/net.d/*
setfacl -m u:root:rw /etc/cni/net.d/

Use admission controllers

linux

Implement Kubernetes admission controllers to validate CNI configurations before deployment.

🧯 If You Can't Patch

Implement strict RBAC controls to limit who can deploy containers or modify network configurations
Deploy containers with minimal privileges and use security contexts to restrict binary execution

🔍 How to Verify

Check if Vulnerable:

Check CNI plugin version: cni --version or examine /opt/cni/bin/ directory timestamps

Check Version:

cni --version 2>/dev/null || find /opt/cni/bin/ -name '*cni' -exec {} --version \; 2>/dev/null | head -1

Verify Fix Applied:

Confirm version is 0.8.1+: cni --version | grep -q '0.8.1\|0.9\|1.' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

Unusual binary execution from CNI context
Path traversal patterns in network configuration files
Unexpected container network setup failures

Network Indicators:

Abnormal network configuration requests to container runtime API

SIEM Query:

source="container-runtime" AND ("../" OR "..\\" OR path_traversal) AND config_type="cni"

📊 Metadata

CVE ID: CVE-2021-20206

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: March 26, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1919391 Issue Tracking,Third Party Advisory
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1919391 Issue Tracking,Third Party Advisory
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCONTAINERNETWORKINGCNIPKGINVOKE-1070549 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20206, you might also want to check these: