Executive Summary

This vulnerability occurs when Calico is configured with the Azure IPAM plugin. The Calico CNI binary modifies the incoming CNI configuration to add subnet information before passing it to the IPAM plugin. After this modification, the Azure IPAM helper logs the entire configuration, including sensitive data such as the ServiceAccount token, client key, and certificate authority, in plaintext at INFO level to a log file on the node.

Because these logs are written on every pod addition or deletion, any user with read access to the log file can extract these credentials, which provide cluster-wide Calico networking administrative privileges.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows any principal with read access to the Calico CNI log file on a node to obtain sensitive Kubernetes credentials in plaintext. These credentials include the ServiceAccount token, client key, and certificate authority, which grant cluster-wide Calico networking administrative privileges.

An attacker or unauthorized user could use these credentials to control or manipulate the Calico networking components across the entire Kubernetes cluster, potentially leading to network disruption, unauthorized access, or further compromise of the cluster.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the contents of the Calico CNI log file located at /var/log/calico/cni/cni.log on each node.

Look for log entries at INFO level that contain the entire unmarshaled CNI configuration map (stdinData) during CNI ADD and DEL invocations.

Specifically, search for logs that include sensitive information such as ServiceAccount tokens, client keys, or certificate authorities in plaintext.

• Use commands like: sudo grep -i 'ServiceAccount token' /var/log/calico/cni/cni.log
• Or to broadly inspect the log for sensitive data: sudo cat /var/log/calico/cni/cni.log | less

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting read access to the /var/log/calico/cni/cni.log file to only trusted administrators.

Additionally, consider disabling or modifying the logging behavior of the Azure IPAM helper to prevent sensitive information from being logged in plaintext.

Review and tighten Kubernetes token-based authentication configurations to limit exposure if credentials are leaked.

Monitor and audit access to the log files regularly to detect unauthorized reads.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability exposes sensitive Kubernetes cluster credentials, including ServiceAccount tokens, client keys, and certificate authorities, in plaintext logs accessible to any principal with read access to the log files on a node.

Such exposure of sensitive authentication credentials can lead to unauthorized access and potential data breaches, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of sensitive data and access controls.

By leaking credentials in logs, the vulnerability undermines confidentiality and access control principles critical to these regulations, increasing the risk of non-compliance and associated legal or regulatory consequences.

Useful 0 Not Useful 0