CVE-2021-25741
📋 TL;DR
This vulnerability in Kubernetes allows authenticated users to create containers with subpath volume mounts that can escape the intended volume boundaries, potentially accessing files and directories on the host filesystem. It affects Kubernetes clusters where users have permission to create pods with volume mounts. This is a privilege escalation vulnerability that could lead to host file system access.
💻 Affected Systems
- Kubernetes
📦 What is this software?
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
Kubernetes by Kubernetes
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full access to the host filesystem, potentially compromising all containers on the node, stealing sensitive data, or establishing persistence on the underlying infrastructure.
Likely Case
Privileged escalation within the cluster allowing unauthorized access to sensitive files, configuration data, or secrets stored on volumes or the host filesystem.
If Mitigated
Limited impact if proper RBAC controls restrict pod creation and volume mount permissions to trusted users only.
🎯 Exploit Status
Exploitation requires authenticated access to create pods. Proof-of-concept code is publicly available in the GitHub issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.22.2, v1.21.5, v1.20.11, v1.19.15
Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/nyfdhK24H7s
Restart Required: Yes
Instructions:
1. Upgrade Kubernetes control plane and nodes to patched versions. 2. For managed services (EKS, AKS, GKE), follow provider-specific upgrade procedures. 3. Restart all affected components including kube-apiserver, kubelet, and any pods using subpath mounts.
🔧 Temporary Workarounds
Restrict Pod Creation Permissions
allUse Kubernetes RBAC to restrict pod creation and volume mount permissions to only trusted users and service accounts.
kubectl create clusterrole restricted-pod-creation --verb=create --resource=pods
kubectl create clusterrolebinding restrict-pods --clusterrole=restricted-pod-creation --user=trusted-user
Disable Subpath Mounts via Admission Controller
allUse validating admission webhooks to reject pod specifications containing subpath volume mounts.
# Requires custom admission controller implementation
# Example policy would reject pods with spec.containers[*].volumeMounts.subPath
🧯 If You Can't Patch
- Implement strict RBAC controls to limit pod creation to essential users only
- Use network policies to isolate vulnerable nodes and monitor for suspicious pod creation activity
🔍 How to Verify
Check if Vulnerable:
Check Kubernetes version with 'kubectl version' and verify if it's below patched versions. Also check if users have pod creation permissions.Check Version:
kubectl version --shortVerify Fix Applied:
After upgrade, verify version is at least v1.22.2, v1.21.5, v1.20.11, or v1.19.15. Test creating a pod with subpath mount to confirm it's properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual pod creation events with volume mounts
- Multiple failed pod creation attempts with subpath configurations
- Audit logs showing pod creation by unauthorized users
Network Indicators:
- Increased API calls to create pods from unusual sources
- Network traffic from pods attempting to access host filesystem paths
SIEM Query:
source="kubernetes-audit" AND verb="create" AND objectRef.resource="pods" AND requestObject.spec.containers[*].volumeMounts.subPath EXISTS🔗 References
- https://github.com/kubernetes/kubernetes/issues/104980
- https://groups.google.com/g/kubernetes-security-announce/c/nyfdhK24H7s
- https://security.netapp.com/advisory/ntap-20211008-0006/
- https://github.com/kubernetes/kubernetes/issues/104980
- https://groups.google.com/g/kubernetes-security-announce/c/nyfdhK24H7s
- https://security.netapp.com/advisory/ntap-20211008-0006/
