Headline
GHSA-jv3w-x3r3-g6rm: CNA Plugins Portmap nftables backend can intercept non-local traffic
Background
The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. For example, if a host has the IP 198.51.100.42, a container may request that all packets to 198.51.100.42:53 be forwarded to the container’s network.
Vulnerability
When the portmap plugin is configured with the nftables backend, it inadvertently forwards all traffic with the same destination port as the host port, ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node.
In the given example above, traffic destined to port 53 but for a separate container would still be captured and forwarded, even though it was not destined for the host.
Impact
Containers (i.e. kubernetes pods) that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. (The iptables backend is the default.)
Patches
This is fixed as of CNI plugins v1.9.0
Workarounds
Configure the portmap plugin to use the iptables backend. It does not have this vulnerability.
Background
The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. For example, if a host has the IP 198.51.100.42, a container may request that all packets to 198.51.100.42:53 be forwarded to the container’s network.
Vulnerability
When the portmap plugin is configured with the nftables backend, it inadvertently forwards all traffic with the same destination port as the host port, ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node.
In the given example above, traffic destined to port 53 but for a separate container would still be captured and forwarded, even though it was not destined for the host.
Impact
Containers (i.e. kubernetes pods) that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. (The iptables backend is the default.)
Patches
This is fixed as of CNI plugins v1.9.0
Workarounds
Configure the portmap plugin to use the iptables backend. It does not have this vulnerability.
References
- GHSA-jv3w-x3r3-g6rm
- containernetworking/plugins@9b3772e