CNI Portmap Plugin Traffic Interception Vulnerability in nftables Backend

A vulnerability in the CNI portmap plugin, affecting versions 1.6.0 prior to 1.9.0, allows containers to intercept unintended traffic when the plugin is configured to use the nftables backend. The issue arises because the nftables backend forwards all traffic directed to a host port, disregarding the destination IP. This misrouting includes traffic meant for other containers on the same node. As a result, containers utilizing HostPort forwarding can capture all traffic intended for the specified port, leading to potential interference with other containerized applications.

Impact

Exploitation of this vulnerability allows for unauthorized interception of network traffic directed to specific ports, potentially disrupting communication between containers and leading to unauthorized access to data or services.

Reproduction

To reproduce this vulnerability, configure the CNI portmap plugin to use the nftables backend. Then, deploy a container that requests HostPort forwarding on a port. Traffic intended for that port, including traffic to other containers on the same node, will be intercepted by the container with HostPort forwarding enabled.

Remediation

Users can upgrade to CNI plugins version 1.9.0, which addresses this vulnerability. Alternatively, the portmap plugin can be configured to use the iptables backend, which does not have this issue.