Flannel Command Injection Vulnerability in Kubernetes Extension Backend Allowing Remote Code Execution
Vulnerability
A command injection vulnerability has been identified in Flannel, a network fabric for containers in Kubernetes, specifically in versions prior to 0.28.2. The issue arises in the experimental Extension backend, which allows users to prototype new backend types. This backend is vulnerable to arbitrary command execution with root privileges on all Flannel nodes in a Kubernetes cluster. The vulnerability is exploited by injecting attacker-controlled data through Kubernetes Node annotations, which is then piped directly to a shell command without proper validation. This issue does not affect other backends like vxlan or wireguard.
Impact
Exploitation of this vulnerability allows for cross-node remote code execution on all Flannel nodes in the Kubernetes cluster, with the executed commands running as the root user.
Remediation
Users can update Flannel to version 0.28.2, where this vulnerability is patched. If an immediate update is not possible, Flannel can be used with another backend such as vxlan or wireguard.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.