CVE-2021-36779
📋 TL;DR
This vulnerability allows any workload in a Kubernetes cluster running vulnerable SUSE Longhorn versions to execute arbitrary binaries from container images on the host system without authentication. It affects Longhorn storage systems where workloads can interact with the Longhorn API. The issue enables container escape and host-level command execution.
💻 Affected Systems
- SUSE Longhorn
📦 What is this software?
Longhorn by Linuxfoundation
Longhorn by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise where an attacker gains root access to all nodes, exfiltrates sensitive data, deploys persistent backdoors, or destroys infrastructure.
Likely Case
Privilege escalation from container to host, allowing attackers to access other containers, steal credentials, or deploy cryptocurrency miners.
If Mitigated
Limited impact if network policies restrict pod-to-pod communication and workloads have minimal permissions, though risk remains for authorized workloads.
🎯 Exploit Status
Exploitation requires network access to Longhorn API from a workload, but no authentication is needed. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Longhorn 1.1.3 or 1.2.3
Vendor Advisory: https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx
Restart Required: Yes
Instructions:
1. Backup Longhorn volumes and configurations. 2. Upgrade Longhorn manager and engine components to version 1.1.3 or 1.2.3. 3. Restart Longhorn pods and verify all components are running the patched version.
🔧 Temporary Workarounds
Network Policy Restriction
linuxImplement Kubernetes Network Policies to restrict pod-to-pod communication, preventing workloads from accessing Longhorn API endpoints.
kubectl apply -f network-policy.yaml
API Endpoint Firewall Rules
linuxConfigure host firewall rules to block access to Longhorn API ports (default 9500-9502) from non-essential pods.
iptables -A INPUT -p tcp --dport 9500:9502 -s <pod-cidr> -j DROP
🧯 If You Can't Patch
- Isolate Longhorn management network from workload networks using network segmentation
- Implement strict Pod Security Policies to limit container capabilities and prevent privilege escalation
🔍 How to Verify
Check if Vulnerable:
Check Longhorn version: kubectl get deployment longhorn-manager -n longhorn-system -o jsonpath='{.spec.template.spec.containers[0].image}'Check Version:
kubectl get deployment longhorn-manager -n longhorn-system -o jsonpath='{.spec.template.spec.containers[0].image}' | cut -d: -f2Verify Fix Applied:
Verify version is 1.1.3 or higher for 1.1.x branch, or 1.2.3 or higher for 1.2.x branch: kubectl get pods -n longhorn-system -o jsonpath='{range .items[*]}{.spec.containers[0].image}{"\n"}{end}' | grep longhorn📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to Longhorn endpoints from unexpected pods
- Container escape attempts in kernel logs
- Unexpected binary execution on hosts from container contexts
Network Indicators:
- Unusual traffic to Longhorn API ports (9500-9502) from workload pods
- Outbound connections from hosts to suspicious destinations following API calls
SIEM Query:
source="kube-audit" AND (objectRef.resource="longhorn" OR objectRef.namespace="longhorn-system") AND verb!="get" AND userAgent NOT IN ("longhorn-manager", "longhorn-ui")