Vulnerability Description and Impact
A new security issue was discovered in all Kubernetes versions and disclosed on December 8, 2020 (see Kubernetes CVE-2020-8554 Security Advisory). This security issue enables an attacker to intercept traffic from other pods (or nodes) in the cluster if the attacker can create or edit services and pods.
The attack is rated medium (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
This vulnerability disclosure, originally discovered almost a year ago, unfolds a design flaw that affects all Kubernetes versions, and at this point does not have a software update that mitigates this issue. Users are advised to implement fine-grained access restrictions and can use RBAC policies and admission controllers such as this one, OPA Gatekeeper Constraint or others.
The Technical Details of the Exploit
Exploiting this weakness requires at the minimum RBAC permissions to create, update or patch Service resources, specifically:
- An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP.
- An attacker that is able to patch the status.loadBalancer.ingress.ip field of LoadBalancer service status.loadBalancer.ingress.ip can intercept traffic to that IP.
A detailed demonstration of the attack was released by its reporter and. shows how an attacker with appropriate privileges may capture traffic to a Kubernetes service or pod by creating a service that is linked to the Man in The Middle (MiTM) IP address. Interestingly, captured traffic can be routed by the attacker’s service resource to an attacker-controlled pod in the cluster or even to an external endpoint,
The types of IP configurations used in Service resources used by this specific attack are intended to be used in the cluster’s edge boundary for both ingesting traffic or accessing external services. Therefore, they are not managed by the Kubernetes cluster nor checked for collision with existing IP allocations, so the Kubernetes design does not prevent this abuse. On the other hand, patching the vulnerability by modifying the documented Kubernetes API is likely to disrupt the operation of existing clusters.
Detecting Exploit Attempts with Alcide kAudit
The Kubernetes API Server captures every request it receives in its audit log. With specific relevance to the detection of attempts to exploit CVE-2020-8554, actions like the creation of a new Service or modifying an existing Service leave traces in the audit log.
Like other security tools, Alcide kAudit enables the user to configure rules to filter specific entries in the audit log that are interesting for compliance and security investigation. In this case, the user can create rules that identify the service creation that is a part of the attack. However, in itself, service creation is a common operation, so it will be difficult and time-consuming for a security expert to differentiate between legitimate and illegitimate service creations and link these potential traces of the attack to construct a holistic understanding of it.
Alcide kAudit also automatically monitors and analyzes these audit logs. It creates and dynamically updates a profile of the normal behavior in the cluster. By comparing in real-time this profile to the audit log, kAudit can detect anomalous behavior that is associated with attempts to attack the k8s infrastructure of a cluster.
Specifically, kAudit can detect anomalous behavior related to attempts to exploit CVE-2020-8554, like in the following examples:
- The attacker compromises an existing user or service account (a principal) in the cluster that has permissions to create or modify one or more services. kAudit can detect the unusual activity leading to the compromise.
- The attacker then uses the credentials of the compromised principal to create or modify the attack’s service. kAudit can detect operations by the principal or on the service that are unusual with respect to their learned activity profiles.
By applying automated machine learning algorithms and combining correlated anomalies to an incident associated with the attacking user, which in this case is the one that creates the malicious service, Alcide kAudit can alert security teams that an attack was attempted and focus their attention on the relevant users, resources and actions to investigate.
Leveraging Alcide kAdvisor and Admission Controller to detect and block exploit attempts
As advised in the vulnerability report, it is recommended deploying guardrails to detect and restrict service modification or creation in a way that allows attackers to intercept traffic.
Alcide’s kAdvisor helps with the early and ongoing detection of such threats by continuously auditing and monitoring Kubernetes resources and entities.
kAdvisor is equipped with out-of-the-box tests that audit Ingress Controllers and Services exposed to external IPs and also report on unauthorized Ingress Controllers and Services based on customized whitelists of similar resources.
Alcide also leverages a Kubernetes-native feature - Admission Controllers.
The admission controller uses policies similar to kAdvisor for easy and uniform maintenance and management. Admission controller uses the same policy logic to deny and alert on external-facing or unauthorized Ingress Controllers and Services based on the same customized whitelist and, can help prevent such unauthorized activity that may originate from attack.
Want to give it a try? Start your 14-day trial now.