CVE-2021-20291 was discovered earlier this month by Aviv Sasson. This effort was part of a security audit surveying multiple Go libraries that Kubernetes relies on to function. This vulnerability lies with the container/storage library leading to a Denial of Service (DoS) of engines CRI-O and Podman. Threat actors may compromise any containerized infrastructure relying on these engines. Listed below are the functions affected by this issue.
CRI-O | Podman |
Fails to pull new images | Fails to pull new images |
Fails to start any new containers | Fails to retrieve running pods |
Fails to retrieve local image list | Fails to start new containers |
Fails to kill containers | Fails to exec into containers |
Fails to retrieve existing images | |
Fails to kill existing containers |
Analyst Notes
Thanks to the pro-active efforts of Aviv Sasson, these vulnerabilities were discovered and responsibly disclosed so they could be addressed. While Kubernetes is an industry standard and in wide use, there are still issues to be ironed out, as with any software deployed in an enterprise. Having a dedicated team supplementing and working alongside System Administrators and technicians eases the responsibilities of those critical roles. A Threat Hunting team such as the team here at Binary Defense is actively looking for vulnerabilities such as these. With strong detection and mitigation efforts, issues may be resolved quickly and with care allowing infrastructure to serve users as intended.
Source:
https://unit42.paloaltonetworks.com/cve-2021-20291/