Today, for its January 2021 Patch Tuesday, Microsoft released an important security update for Azure Active Directory Pod Identities. This vulnerability is known as CVE-2021-1677 and rated with CVSSv3.0 scores of 5.5/4.8
About the vulnerability
The Azure AD pod identity feature enables users to assign identities to pods in Kubernetes clusters and fetch them from the pods using a regular IMDS (Azure Instance Metadata Service) request. When an identity is assigned to a pod, the pod can access the IMDS endpoint and get a token for that identity.
The Kubenet network plugin is susceptible to ARP spoofing. This makes it possible for pods to impersonate as a pod with access to an identity. Using
CAP_NET_RAW capability, a pod that is controlled by an attacker could request a token as a pod it’s impersonating. An attacker who successfully exploited this vulnerability can laterally steal the identities that are associated with different pods.
Addressing the vulnerability
By default, Azure Kubernetes Service (AKS) clusters use Kubenet. This way, a virtual network and subnet are created, nodes get an IP address from a virtual network subnet and Network address translation (NAT) is then configured on the nodes. Pods receive an IP address hidden behind the node IP.
With Azure Container Networking Interface (CNI), every pod gets an IP address from the subnet and can be accessed directly. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node.
Organizations with existing Azure Kubernetes Service (AKS) clusters need to re-deploy their cluster(s) and use Azure CNI instead of the default Kubenet.
Call to action
Please re-deploy any previously deployed Azure Kubernetes Service (AKS) clusters using Azure Container Networking Interface (CNI) instead of Kubenet (default).
Starting from version 1.7, the Azure AD Pod Identity feature is disabled by default on clusters with Kubenet network plugin. The NMI pods will fail to run with the following error:
AAD Pod Identity is not supported for Kubenet