When kuma-dp is started against an HTTPS control plane and the operator did not pass a CA certificate, the data plane connects with TLS peer verification disabled. The dataplane authentication token is sent over this unverified connection
Impact
An on-path attacker can intercept the dataplane authentication token and impersonate the control plane to the data plane, allowing them to inject a forged bootstrap configuration and take over the proxy
Affected configurations
- Universal mode
kuma-dp started against an HTTPS control plane without --ca-cert-file (or KUMA_CONTROL_PLANE_CA_CERT unset)
Not affected
- Kubernetes installs done through the standard installers (
kumactl install control-plane or the official Helm chart). In both cases the control plane's mutating admission webhook injects KUMA_CONTROL_PLANE_CA_CERT into every sidecar at pod admission, so each kuma-dp starts with the CA already configured
Workarounds
Set --ca-cert-file (or KUMA_CONTROL_PLANE_CA_CERT) on every Universal mode data plane and point it at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration
Resources
References
When kuma-dp is started against an HTTPS control plane and the operator did not pass a CA certificate, the data plane connects with TLS peer verification disabled. The dataplane authentication token is sent over this unverified connection
Impact
An on-path attacker can intercept the dataplane authentication token and impersonate the control plane to the data plane, allowing them to inject a forged bootstrap configuration and take over the proxy
Affected configurations
kuma-dpstarted against an HTTPS control plane without--ca-cert-file(orKUMA_CONTROL_PLANE_CA_CERTunset)Not affected
kumactl install control-planeor the official Helm chart). In both cases the control plane's mutating admission webhook injectsKUMA_CONTROL_PLANE_CA_CERTinto every sidecar at pod admission, so eachkuma-dpstarts with the CA already configuredWorkarounds
Set
--ca-cert-file(orKUMA_CONTROL_PLANE_CA_CERT) on every Universal mode data plane and point it at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configurationResources
References