Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8562
CVE-2020-8562 is a TOCTOU vulnerability in the Kubernetes API server proxy that allows DNS rebinding attacks to bypass the isGlobalUnicast filter meant to block access to private IPs (e.g., 127.0.0.1, 169.254.169.254). The API server makes two separate DNS resolutions — one for the security check and one for the actual proxy request — allowing an attacker with control over a DNS server (using low-TTL responses that alternate between a public and private IP) to pass the filter check on the first lookup and reach localhost or cloud metadata services on the second. Exploitation requires cluster privileges to create Node objects and use the API server proxy, making it most impactful against managed Kubernetes providers where control plane network isolation is a security boundary. Mitigations include enforcing minimum DNS TTLs on control plane nodes or using Konnectivity to isolate proxy traffic from the control plane network. A full PoC is publicly available.