Sweet32 vulnerability is detected on etcd of TKG cluster control plane node
search cancel

Sweet32 vulnerability is detected on etcd of TKG cluster control plane node

book

Article ID: 400946

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

  • Use the 'nmap' to detect ciphers used on port 2379 of TKG cluster control plane node with the below report:

    # nmap --script ssl-enum-ciphers -Pn -p 2379  <control-plane-node-ip-address>
    Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-12 10:34 +08
    Nmap scan report for <control-plane-node-ip-address>
    Host is up (0.00093s latency).

    PORT     STATE SERVICE
    2379/tcp open  etcd-client
    | ssl-enum-ciphers:
    |   TLSv1.2:
    |     ciphers:
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
    |     compressors:
    |       NULL
    |     cipher preference: server
    |     warnings:
    |       64-bit block cipher 3DES vulnerable to SWEET32 attack
    |   TLSv1.3:
    |     ciphers:
    |       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
    |       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
    |       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
    |     cipher preference: server
    |_  least strength: C

  • The ciphter 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA' exposes Sweet32 vulnerability. See CVE-2016-2183

Environment

VMware vSphere Kubernetes Service

Resolution

To workaround the issue:

  1. SSH control plane of TKG cluster and switch root account. See SSH to TKG Service Cluster Nodes as the System User Using a Password
  2. Backup the ETCD manifest yaml from /etc/kubernetes/manifests/etcd.yaml
  3. Edit /etc/kubernetes/manifests/etcd.yaml with vi command:

    vi /etc/kubernetes/manifests/etcd.yaml

  4. Add parameter '--cipher-suites' under 'command'

    For example:

    --cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  5. Save the change.
  6. ETCD pod will immediately restart
  7. Confirm the ETCD pod is Running:

    crictl ps | grep -i etcd

  8. Repeat the same steps on the other control plane nodes of TKG cluster. 


Note: 

  • If there are 3 control plane nodes, the above actions can not be done parallelly since this will cause quorum lost. It has to be done one by one. 
  • Control plane node is recreated for whatever reason, workaround will need to be run again. 
Powered by Wolken Software