CVE-2020-8554: Kubernete Man in the Middle Vulnerability Alert

CVE-2020-8554: Kubernete Man in the Middle Vulnerability Alert

Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.

Kubernetes accomplishes this by organizing application containers into Pods, nodes (physical or virtual machines), and clusters, where multiple nodes form a cluster managed by a master node, which is responsible for coordinating tasks related to the cluster, such as extending, scheduling, or updating applications.

Recently, Kubernetes has exposed a man-in-the-middle vulnerability (CVE-2020-8554). The Kubernetes Product Security Committee has issued a proposal on how to temporarily prevent attackers from exploiting the vulnerability. The vulnerability may enable an attacker to intercept traffic from other Pods in a multi-tenant Kubernetes cluster in a man-in-the-middle (MiTM) attack.

Kubernetes vulnerability

The severity of the exposed vulnerability was rated as “medium”, and the CVE number was CVE-2020-8554, which affects all Kubernetes versions.
Tim Allclair explained: This issue affects multitenant clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster. An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.”
According to a report by Etienne Champetier of Anevia, the vulnerability can be exploited remotely by an attacker without user involvement and can be used as part of a low-complexity attack.

Since the Kubernetes development team has not yet provided a security update to resolve this issue, it is recommended that administrators mitigate CVE-2020-8554 by restricting access to vulnerable functions.

To restrict the use of external IPs we are providing an admission webhook container: k8s.gcr.io/multitenancy/externalip-webhook:v1.0.0. The source code and deployment instructions are published at https://github.com/kubernetes-sigs/externalip-webhook.

Alternatively, external IPs can be restricted using OPA Gatekeeper. A sample ConstraintTemplate and Constraint can be found here: https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general/externalip.

To detect attacks that attempt to exploit this vulnerability, users must manually audit the use of external IPs in a multi-tenant cluster using the LoadBalancer or ExternalIPs feature.