Rke: Kubernetes etcd vulnerability (Ports 2380 and 2379) Sweet32 CVE-2016-2183

Created on 7 Nov 2018  路  4Comments  路  Source: rancher/rke

RKE version: 0.1.11

Docker version: (docker version,docker info preferred)
17.03.2-ce

Operating system and kernel: (cat /etc/os-release, uname -r preferred)
cat /etc/os-release:
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

uname -r: 4.18.5-1.el7.elrepo.x86_64

Type/provider of hosts: (VirtualBox/Bare-metal/AWS/GCE/DO)
VirtualBox

cluster.yml file:

network:
  plugin: flannel
nodes:
- address: rancher-master-01
  user: user
  role: [controlplane,etcd]
- address: rancher-master-02
  user: user
  role: [controlplane,etcd]
- address: rancher-master-03
  user: user
  role: [controlplane,etcd]
- address: rancher-worker-01
  user: user
  role: [worker]
- address: rancher-worker-02
  user: user
  role: [worker]
- address: rancher-worker-03
  user: user
  role: [worker]
system_images:
    etcd: quay.io/coreos/etcd:v3.3.10
services:
  etcd:
    extra_args:
      cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

  kube-api:
    extra_args:
      tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
  kubelet:
    extra_args:
      tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
  kube-controller:
    extra_args:
      tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

Steps to Reproduce:
The issue is the same as in: https://github.com/rancher/rancher/issues/10354 but on a different port.

If you test with a default yml, without the changed etcd image and the cipher suites ports 2380 and 2379 are vulnerables to:

  • SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers

  • LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches

According to testssl report https://github.com/drwetter/testssl.sh

Results:
Using the coreos etcd v3.3.10 which has fixed the weak ciphers using the arg cipher-suites (Since version 3.3.7) the vulnerability goes away.

I want to know if this is the way to go. Everything seems to be working but I'm not sure if there are any implications of using an etcd image outside rancher docker hub (And of upgrading the etcd docker image version as the latest etcd image on rancher docker hub is 3.2.4).

I appreciate any guidance or recommendations on this.

kinbug
Source
picture rstpv

All 4 comments

Configurable option was introduced in etcd for this (https://github.com/etcd-io/etcd/pull/9801/files) and backported into earlier releases. We follow k8s tested versions for all of our installs, that means for the latest supported k8s it is at v3.2.18 which does not contain the option. For upcoming supported release (k8s 1.12) it is using v3.2.24 which does contain the option. If the defaults fix it, it should be fixed in a next k8s release automatically with the new etcd version.

Recommendation would be to strictly allow access according to the port requirements. Running a different version of what is tested is at your own risk.

superseb picture superseb on 8 Nov 2018
👍1

@superseb 3.2.24 is on the rancher/coreos docker hub, would it be ok to use that image in rke 0.1.11 or, should we wait for the next release?

About allowing access according to port requirements, do you refer to iptables filters?, or there is any other alternative?

Thank you!

rstpv picture rstpv on 9 Nov 2018

@rstpv k8s 1.12.3 is available in rke v0.1.12, not as the default version though. It will become a default version in rke v0.2.0 - the next rke release.

alena1108 picture alena1108 on 30 Nov 2018
👍1

@rstpv with the release of RKE v0.2.0, we now support k8s v1.13.5 as the default, with updated etcd based on kubernetes recommendations.

If there are still issues when using this version, please let me know.

deniseschannon picture deniseschannon on 8 Apr 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

galal-hussein picture galal-hussein  路  4Comments
kyamazawa picture kyamazawa  路  3Comments
randrewedwards picture randrewedwards  路  3Comments
de13 picture de13  路  3Comments
NM4 picture NM4  路  4Comments