All Kubernetes Versions Affected By Unpatched MiTM Vulnerability

The Kubernetes Product Security Committee has provided advice on how to temporarily block attackers from exploiting a vulnerability that could enable them to intercept traffic from other pods in multi-tenant Kubernetes clusters in man-in-the-middle (MiTM) attacks.

Kubernetes (aka K8s), originally developed by Google and now maintained by the Cloud Native Computing Foundation, is an open-source system designed to help automate the deployment, scaling, and management of containerized workloads, services, and applications over clusters of hosts.

It does this by organizing app containers into pods, nodes (physical or virtual machines), and clusters, with multiple nodes forming a cluster managed by a master that coordinates cluster-related tasks such as scaling, scheduling, or updating apps.

Also Read: The PDPA Data Breach August 2020: A Recap of 8 Alarming Cases

Affected services not widely deployed

The medium severity security issue is being tracked as CVE-2020-8554 and it was reported by Etienne Champetier of Anevia.

It can be exploited remotely by attackers with basic tenant permissions (such as creating or editing services and pods) without user interaction as part of low complexity attacks.

CVE-2020-8554 is a design flaw that impacts all Kubernetes versions, with multi-tenant clusters that allow tenants to create and update services and pods being the most vulnerable to attacks.

“If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster,” as Tim Allclair, a software engineer working on Kubernetes security at Apple, explained in a security advisory published on Monday.

“If you create a service with an arbitrary external IP, then traffic to that external IP from within the cluster will be routed to that service,” Allclair added. “This lets an attacker that has permission to create a service with an external IP to intercept traffic to any target IP.”

Luckily, the vulnerability should affect a small number of Kubernetes deployments given that External IP services are not extensively used in multi-tenant clusters, and granting tenant users with patch service/status permissions for LoadBalancer IPs is not recommended.

How to block CVE-2020-8554 exploits

Since the Kubernetes development team has not yet provided a security update to address this issue, admins are advised to mitigate CVE-2020-8554 by restricting access to the vulnerable features.

You can use an admission webhook container for restricting external IP usage — source code and deployment instructions are available here.

External IPs can also be restricted with the help of the Open Policy Agent Gatekeeper policy controller for Kubernetes using constraints and templates available here.

Mitigation measures for LoadBalancer IPs are not provided since the recommended configuration is not vulnerable but, if restrictions are required, External IP recommendations also apply to LoadBalancer IPs.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

To detect attacks attempting to exploit this vulnerability you have to manually audit external IP usage within multi-tenant clusters using the vulnerable features.

“ExternalIP services are not widely used, so we recommend manually auditing any external IP usage,” Allclair said. “Users should not patch service status, so audit events for patch service status requests authenticated to a user may be suspicious.”