Kube-router External IP Validation Vulnerability in Proxy Module Allows Traffic Hijacking and DNS Denial-of-Service

A vulnerability exists in Kube-router's proxy module, prior to version 2.8.0, where externalIPs and loadBalancer IPs are not validated against configured ranges before being applied to the node's network settings. This flaw can be exploited by users with namespace-scoped permissions to create or modify Services, leading to unauthorized traffic redirection and potential disruption of critical services like DNS. The issue arises because the proxy module ignores the 'service-external-ip-range' parameter, creating a disconnect between administrative controls and actual enforcement.

Impact

Exploitation allows for arbitrary external IPs to be bound on all cluster nodes, with traffic directed to attacker-controlled pods. This can overwrite existing DNS service endpoints, causing widespread name resolution failures. The vulnerability also bypasses configured external IP range validations, allowing unauthorized IPs to be used.

Reproduction

The vulnerability can be reproduced by creating a Service with externalIPs that fall outside the allowed ranges or conflict with existing ClusterIPs. This can be done using a Kubernetes cluster with Kube-router installed, by applying a Service resource that includes malicious external IPs. The impact can be verified by checking the node's network configuration and observing the disruption of services like DNS.

Remediation

Users are advised to upgrade to Kube-router version 2.8.0 or later, where this vulnerability has been addressed. For those unable to upgrade immediately, the DenyServiceExternalIPs feature gate can be enabled, and admission policies can be deployed to restrict the use of externalIPs in Services. Additionally, monitoring Service changes and applying BGP prefix filtering can help mitigate the risk.