Kubernetes K3s ReadOnlyPort Misconfiguration Exposing Sensitive Credentials

Kubernetes K3s ReadOnlyPort Misconfiguration Exposing Sensitive Credentials

Overview

CVE-2025-46599 is a vulnerability affecting CNCF K3s (Lightweight Kubernetes) versions before 1.32.4-rc1+k3s1, where a misconfiguration in the kubelet component inadvertently sets the ReadOnlyPort to 10255 under certain conditions. This misconfiguration may allow unauthenticated access to the kubelet’s read-only API, potentially exposing sensitive information such as credentials, pod metadata, and node metrics.

Key Details

CVSS Score: 6.8 (MEDIUM)
Affected Versions: K3s 1.32.0 to 1.32.3
Fixed Version: 1.32.4-rc1+k3s1
Published Date: April 25, 2025

Root Cause Analysis

K3s, a lightweight Kubernetes distribution, includes a bundled kubelet that manages node operations. The vulnerability arises due to an unintended configuration change where:

The ReadOnlyPort (default: 10255) is enabled in some deployment scenarios.
This port lacks authentication, allowing any unauthenticated user on the network to access kubelet endpoints.

Impacted Scenarios

Default Online Installations:
- Fresh K3s deployments via curl -sfL https://get.k3s.io | sh might leave 10255 exposed.
Custom Configurations:
- If users modify kubelet flags without explicitly disabling --read-only-port, the port remains open.

Exploitation Scenario

An attacker with network access to a K3s node can:

Discover the Open Port:
sh
Copy
Download
```
nmap -p 10255 <K3s_Node_IP>
```
If port 10255 is open, the kubelet API may be accessible.
Access Sensitive Endpoints:
- Retrieve Pod Information:
  sh
  Copy
  Download
```
curl http://<K3s_Node_IP>:10255/pods
```
  This may reveal secrets, environment variables, and pod metadata.
- Extract Node Metrics:
  sh
  Copy
  Download
```
curl http://<K3s_Node_IP>:10255/metrics
```
  Exposes resource usage, running containers, and node health.
Lateral Movement:
- If credentials (e.g., service account tokens) are leaked, an attacker can escalate privileges within the cluster.

Mitigation & Fixes

Immediate Workaround

Disable the ReadOnlyPort manually:

Edit K3s Config:

sudo vi /etc/systemd/system/k3s.service

Add:

ExecStart=/usr/local/bin/k3s server --kubelet-arg="read-only-port=0"

Restart K3s:

sudo systemctl daemon-reload
sudo systemctl restart k3s

Official Fix

Upgrade to K3s v1.32.4-rc1+k3s1 or later:

curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.32.4-rc1+k3s1 sh -

Network-Level Protection

Block Port 10255 at the firewall:

sudo iptables -A INPUT -p tcp --dport 10255 -j DROP

Conclusion

CVE-2025-46599 highlights the risks of misconfigured kubelet settings in K3s, leading to unauthorized data exposure. Administrators should:
✔ Upgrade immediately to the patched version.
✔ Disable ReadOnlyPort if upgrading is not feasible.
✔ Monitor network traffic for unexpected access to port 10255.

This vulnerability underscores the importance of hardening Kubernetes components, even in lightweight distributions like K3s.

Trending

Server-Side Request Forgery (SSRF) Vulnerability in SmartRobot by INTUMIT

Critical Vulnerabilities in Tenda Routers

CTF@CIT 2025

Vestel AC Charger Sensitive Information Disclosure Vulnerability

Path Traversal "Zip Slip" Vulnerability in mholt/archiver (Go)

b01lers CTF 2025

Integer Overflow Vulnerability in Tesla Model 3 VCSEC Module and Implications for Automotive Security