Exploiting and detecting CVE-2021-25735: Kubernetes validating admission webhook bypass

CVE-2021-25735 is a medium-level vulnerability in certain versions of Kubernetes' kube-apiserver that allows unauthorized node updates by bypassing the Validating Admission Webhook. This vulnerability affects kube-apiserver versions v1.20.0 to v1.20.5, v1.19.0 to v1.19.9, and v1.18.17 or earlier when using a Validating Admission Webhook with outdated values. Exploitation allows adversaries to make unauthorized changes to node settings by manipulating node labels, such as "changeAllowed," thereby bypassing admission controls. To address this, affected systems should be upgraded to fixed versions, and detection of exploitation attempts can be achieved using the open-source tool Falco, which requires enabling Kubernetes Audit Logging. Falco can identify suspicious activities by monitoring changes in node labels that could indicate an attempt to exploit this vulnerability. The article emphasizes the importance of upgrading to the latest versions of kube-apiserver and using Falco for monitoring to prevent or detect potential exploitation.