<img src="https://ws.zoominfo.com/pixel/JHVDdRXH2uangmUMQBZd" width="1" height="1" style="display: none;">

Learn the 3 Key Elements to Successfully Shifting your Security Left - Live Webinar

Exit icon Register Now

An Unpatched MiTM Vulnerability Affects All Kubernetes Version

DevOps Security Kubernetes
An Unpatched MiTM Vulnerability Affects All Kubernetes Version
DevOps Security Kubernetes

An unpatched man-in-the-middle (MiTM) vulnerability has been recently discovered and affects all versions of Kubernetes, as disclosed by Kubernetes Product Security. It's a medium severity security (CVE-2020-8554) issue where attackers, who have the ability to create or edit services and pods, can intercept traffic from other pods (or nodes) in the cluster.

This vulnerability, reported by Etienne Champetier of Anevia, is a design flaw that cannot be mitigated without user-facing changes and a long-term fix is in the works.

In the recently published security advisory, Tim Allclair explained it further:

“An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.”

The Impact and the Extent of the Vulnerability

All Kubernetes versions are affected by this vulnerability, especially multi-tenant clusters that grant tenants the ability to create and update services.

Only a small number of Kubernetes deployments should be affected given the limited use of External IP services in multi-tenant clusters and granting tenant users with patch service/status permissions for LoadBalancer IPs is not recommended.

At this point in time, there’s no patch for this issue and restricting access to vulnerable features is the only way to mitigate it.

Recommended Actions for K8s Administrators

Since a long-term fix is still in the works, a few recommendations have been forward for K8s administrators to implement. They include:

  • Restricting the use of external IPs by using an admission webhook container. Source code and deployment instructions can be found here.
  • Using OPA Gatekeeper to restrict external IPs. A sample ConstraintTemplate and Constraint is published here.
  • Manual auditing of any external IP usage

For LoadBalancer IPs

It’s not recommended to grant users patch service/status permission but if LoadBalancer IP restrictions are required, the same approach for external IP mitigations written above can be applied.

 

At Magalix, we're highly experienced in defining, deploying, and managing Kubernetes-focused cloud-native governance policies. To find out more, request a commitment-free consultation.

Comments and Responses

Related Articles

Breaking Down the Complexity of Cloud Native Security for Leadership

Securing Cloud-Native applications can be complex because of the volume of skills and knowledge required

Read more
Securing Cloud-Native Applications is the New Foundation to Digital Transformation Success

Security can no longer remain on its own independent island & must be incorporated into the rest of the stack in to maintain a hardened infrastructure

Read more
DevOps Security Kubernetes
An Unpatched MiTM Vulnerability Affects All Kubernetes Version

An unpatched MiTM vulnerability has been recently discovered and affects all versions of Kubernetes, as disclosed by Kubernetes Product Security

Read more

Start Your 30-day Free Trial Today!

Automate your Kubernetes cluster optimization in minutes.

Get Started View Pricing
No Card Required