Kube-Proxy Windows Traffic Forwarding Bug (CVE-2021-25736)
CVE-2021-25736 Published on October 30, 2023

Windows kube-proxy LoadBalancer contention
Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (spec.ports[*].port) as a LoadBalancer Service when the LoadBalancer controller does not set the status.loadBalancer.ingress[].ip field. Clusters where the LoadBalancer controller sets the status.loadBalancer.ingress[].ip field are unaffected.

NVD

Vulnerability Analysis

CVE-2021-25736 is exploitable with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Process Control

Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker. Process control vulnerabilities take two forms: 1. An attacker can change the command that the program executes: the attacker explicitly controls what the command is. 2. An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.


Products Associated with CVE-2021-25736

Want to know whenever a new CVE is published for Kubernetes? stack.watch will email you.

Kubernetes
 

Affected Versions

Kubernetes:

Exploit Probability

EPSS
0.08%
Percentile
23.70%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.