ThreatLevelBeta
Planned Fix

CVE-2021-25736

Kubernetes kube-proxy Windows traffic forwarding
Loading...

Summary

Kube-proxy on Windows can unintentionally forward traffic destined for a LoadBalancer service to a local process listening on the same port when the ingress IP field is not set, potentially exposing confidential data; exploitation requires network access to a Windows-based Kubernetes cluster with a LoadBalancer service and specific ingress IP conditions.

Why Planned Fix?

2/6
No authentication required
Deployment unknown
No user interaction needed
Not exploitable in default configuration
No active exploitation or PoC
Not a high impact vulnerability

Exploitation Details

Type
Unknown
Is exploitable with default configuration?
No
Is authentication needed?
No
PoC / Exploit
No
Impact

Confidentiality breach by forwarding LoadBalancer traffic to a local process, enabling potential exposure of sensitive data

Exploitation Requirements
  • Windows-based Kubernetes cluster
  • kube-proxy on Windows
  • LoadBalancer Service configured without status.loadBalancer.ingress[].ip
  • a local process listening on the same port
  • network access to the cluster
Exploitation Process

1) Identify a Windows-based Kubernetes cluster using a LoadBalancer service. 2) Confirm the LoadBalancer controller does not set status.loadBalancer.ingress[].ip. 3) Ensure a local process is listening on the same port as the LoadBalancer service. 4) Send traffic toward the LoadBalancer port; kube-proxy forwards traffic to the local process. 5) Observe leakage of data intended for the LoadBalancer service.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:Kubernetes
ProductAffected Versions
kube-proxy (Windows)Kubernetes 1.18.0-1.18.17; 1.19.0-1.19.9; 1.20.0-1.20.5
Description

Kubernetes component that runs on each node to manage network routing for Services, including LoadBalancer type services.

Deployment:
|
Protocol:TCP
|
Ports:80, 443
Affected Componentkube-proxy on Windows handling LoadBalancer service traffic

kube-proxy on Windows handling LoadBalancer service traffic

Affected Endpoints(3)https://github.com/kubernetes/kubernetes/pull/99958, https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ…
1.https://github.com/kubernetes/kubernetes/pull/99958
2.https://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ
3.https://security.netapp.com/advisory/ntap-20231221-0003/
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Niche
Remediation
Workaround

Not available

Patch

Not available

Update

Not available

Threat Intelligence
EPSS Score10.0%

Probability of exploitation in the next 30 days

EPSS Percentile31%

Worse than 31% of all CVEs

CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules3
Other
Threat hunting resource
Other
Threat hunting resource
Other
Threat hunting resource

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected.

CVSS Base Score

6.3
Medium

CVSS Vector (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:
|
NVD:CVE-2021-25736
|
Version From:1.18.0, 1.19.0, 1.20.0
|
Version Upto:1.18.17, 1.19.9, 1.20.5

Affected Software (CPE) (4)

  • cpe:2.3:a:kubernetes:kubernetes:1.18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:kubernetes:kubernetes:1.19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:kubernetes:kubernetes:1.20.0:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

Sources

8
SourceArticle
nvd.nist.govhttps://nvd.nist.gov/vuln/detail/CVE-2021-25736
github.comhttps://github.com/kubernetes/kubernetes/pull/99958
groups.google.comhttps://groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJ
security.netapp.comhttps://security.netapp.com/advisory/ntap-20231221-0003/
www.ibm.comhttps://www.ibm.com/support/pages/node/7244082
www.sentinelone.comhttps://www.sentinelone.com/vulnerability-database/cve-2021-25736/
www.wiz.iohttps://www.wiz.io/vulnerability-database/cve/cve-2021-25736
osv.devhttps://osv.dev/vulnerability/CVE-2021-25736

Priority History

Planned FixLoading...

Initial analysis