HIGH: Accessible Kubernetes API Server Report

DESCRIPTION LAST UPDATED: 2023-12-15

DEFAULT SEVERITY LEVEL: HIGH

Introduction

This report identifies accessible Kubernetes API instances that respond with a 200 OK HTTP to our probes. While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface. They also allow for information leakage on version and builds.

How we scan 

We scan with a HTTP request using the /version URI. We scan all of the IPv4 space on ports 6443 and 443. We include only Kubernetes servers that respond with a 200 OK (with accompanying JSON response), and hence disclose version information in their response. For a mapping of all Kubernetes API services on your network/constituency (including ones that do not allow for access) check out our Device Identification Report.

Dashboard

You can track latest Kubernetes API scan results on the Shadowserver Dashboard.

Mitigation

If you are notified of an instance that is accessible, please consider implementing authorization for access or block at the firewall level to reduce your exposed attack surface.

You can read more on securing access to the Kubernetes API in this official guide.

This scan was first announced 2022-05-17 on our blog “Over 380 000 open Kubernetes API servers”.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename: scan_kubernetes

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the HTTP response came on (always TCP)
  • port
    Port that is being queried (port 6443 and port 443)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to "kubernetes"
  • version
    Version information if any
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • http
    http version
  • http_code
    HTTP Response code: in this case always 200
  • http_reason
    The text reason to go with the HTTP Code - in this case, always "OK"
  • content_type
    The MIME type of the body of the request
  • server
    HTTP Server type
  • date
    The date and time that the message was sent
  • major
    Kubernetes major version
  • minor
    Kubernetes minor version
  • git_version
    Kubernetes git version
  • git_commit
    Tag when built from source
  • git_tree_state
    Git tree state
  • build_date
    Kubernetes build date
  • go_version
    Go version
  • compiler
    Compiler
  • platform
    Platform on which was built
  • handshake
    TLS version negotiated
  • cipher_suite
    The highest CipherSuite that was able to be negotiated
  • cert_length
    Certificate Key Length (1024 bit, 2048 bit, etc)
  • subject_common_name
    The Common Name (CN) of the SSL certificate
  • issuer_common_name
    The Common Name of the entity that signed the SSL certificate
  • cert_issue_date
    Date when the SSL certificate became valid
  • cert_expiration_date
    Date when the SSL certificate expires
  • sha1_fingerprint
    SHA1 fingerprint of certificate
  • cert_serial_number
    Certificate serial number
  • ssl_version
    SSL/TLS version
  • signature_algorithm
    Signature algorithm used
  • key_algorithm
    Key algorithm used
  • subject_organization_name
    The subject organization name (ON) of the certificate
  • subject_organization_unit_name
    The organization unit name of the subject of the certificate
  • subject_country
    The country of the subject of the certificate
  • subject_state_or_province_name
    The state or province name of the subject of the certificate
  • subject_locality_name
    The locality name of the subject of the certificate
  • subject_street_address
    The street address of the subject of the certificate
  • subject_postal_code
    The postal code of the subject of the certificate
  • subject_surname
    The surname of the subject of the certificate
  • subject_given_name
    The given name of the subject of the certificate
  • subject_email_address
    The e-mail address of the subject of the certificate
  • subject_business_category
    The business category of the subject of the certificate
  • subject_serial_number
    Serial number of the subject of the certificate
  • issuer_organization_name
    Issuing organization name
  • issuer_organization_unit_name
    Issuing organization unit name
  • issuer_country
    Country of issuer
  • issuer_state_or_province_name
    State or province of issuer
  • issuer_locality_name
    Locality of issuer
  • issuer_street_address
    Street address of issuer
  • issuer_postal_code
    Postal code of issuer
  • issuer_surname
    Surname of issuer
  • issuer_given_name
    Given name of issuer
  • issuer_email_address
    Email address of issuer
  • issuer_business_category
    Business category of issuer
  • issuer_serial_number
    Serial number of issuer
  • sha256_fingerprint
    SHA256 fingerprint of certificate
  • sha512_fingerprint
    SHA512 fingerprint of the certificate
  • md5_fingerprint
    MD5 fingerprint of certificate
  • cert_valid
    Is the certificate valid (Y/N)?
  • self_signed
    Is the certificate self-signed (Y/N)?
  • cert_expired
    Whether the cert has expired (Y/N)
  • validation_level
    Certificate validation level, e.g. DV, OV, EV
  • browser_trusted
    Browser trusted certificate (Y/N)?
  • browser_error
    Browser certificate errors encountered when scanning
  • raw_cert
    Copy of raw certificate
  • raw_cert_chain
    Copy of raw certificate chain

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","sector","http","http_code","http_reason","content_type","server","date","major","minor","git_version","git_commit","git_tree_state","build_date","go_version","compiler","platform","handshake","cipher_suite","cert_length","subject_common_name","issuer_common_name","cert_issue_date","cert_expiration_date","sha1_fingerprint","cert_serial_number","ssl_version","signature_algorithm","key_algorithm","subject_organization_name","subject_organization_unit_name","subject_country","subject_state_or_province_name","subject_locality_name","subject_street_address","subject_postal_code","subject_surname","subject_given_name","subject_email_address","subject_business_category","subject_serial_number","issuer_organization_name","issuer_organization_unit_name","issuer_country","issuer_state_or_province_name","issuer_locality_name","issuer_street_address","issuer_postal_code","issuer_surname","issuer_given_name","issuer_email_address","issuer_business_category","issuer_serial_number","sha256_fingerprint","sha512_fingerprint","md5_fingerprint","cert_valid","self_signed","cert_expired","validation_level","browser_trusted","browser_error","raw_cert","raw_cert_chain"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,10443,node01.example.com,kubernetes,,64512,ZZ,Region,City,0,,,HTTP/1.1,200,OK,application/json,,"Sat, 25 Nov 2023 01:18:07 GMT",1,27,v1.27.2,7f6f68fdabc4df88cfea2dcf9a19b2b830f1e647,clean,2023-05-17T14:13:28Z,go1.20.4,gc,linux/amd64,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,N,Y,unknown,N,,,
"2010-02-10 00:00:01",high,192.168.0.2,tcp,10443,node02.example.com,kubernetes,,64512,ZZ,Region,City,0,,,HTTP/1.1,200,OK,application/json,,"Sat, 25 Nov 2023 01:18:08 GMT",1,27,v1.27.3,25b4e43193bcda6c7328a6d147b1fb73a33f1598,clean,2023-06-14T09:47:40Z,go1.20.5,gc,linux/amd64,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,N,Y,unknown,N,,,
"2010-02-10 00:00:02",high,192.168.0.3,tcp,10443,node03.example.com,kubernetes,,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",HTTP/1.1,200,OK,application/json,,"Sat, 25 Nov 2023 01:19:20 GMT",1,16,v1.16.6,72c30166b2105cd7d3350f2c28a219e6abcd79eb,clean,2020-01-18T23:23:21Z,go1.13.5,gc,linux/amd64,TLSv1.2,TLS_AES_256_GCM_SHA384,2048,example.com,example.com,"2012-11-14 11:18:27","2021-11-12 11:18:27",03:39:9E:5D:77:19:38:C4:49:DE:C3:3D:9B:E6:13:ED:5A:F1:42:55,B3F13DFBDBA2D8B2,2,sha256WithRSAEncryption,rsaEncryption,,,ZZ,,,,,,,,,,,,,,,,,,,,,,E1:D1:6E:87:49:B9:AC:74:B4:AC:9B:77:85:27:69:97:0D:16:B1:F6:63:F0:26:51:AA:89:42:39:66:BD:47:D0,1C:E9:04:22:90:46:68:0B:8B:54:33:38:C6:20:5F:EE:A6:73:A6:B5:2C:7D:12:94:DE:F1:CC:11:2E:72:0B:97:C2:7D:19:BF:E0:6B:98:A9:21:D9:9D:5A:CB:38:0B:D8:7E:E2:8E:2B:EA:15:EC:60:11:1E:41:E3:FB:4C:20:9F,F1:8A:02:48:3C:6B:F4:00:CC:5C:D5:B0:71:E4:FA:00,N,N,Y,unknown,N,,,

Our 124 Report Types