Skip to main content

All versions of Kubernetes found to be at risk of attack

Lock
(Image credit: Shutterstock)

An unpatched man-in-the-middle (MiTM) vulnerability has been discovered which affects all versions of Kubernetes and can be exploited remotely by attackers.

The medium severity vulnerability, discovered by Anevia's Etienne Champetier last year and tracked as CVE-2020-8554, enables an attacker with the ability to create or edit services and pods to intercept traffic from other pods (or nodes) without user interaction.

Software engineer at Apple, Tim Allclair explained that the issue is a design flaw that impacts all Kubernetes versions in a recently published security advisory, saying:

“If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster. This issue is a design flaw that cannot be mitigated without user-facing changes.”

External IP services

While this MiTM vulnerability affects all versions of Kubernetes, only a small number of deployments are vulnerable to potential attacks as External IP services are not widely used in multi-tenant clusters.

However, since a patch is unavailable at the moment, Allclair recommends that admins restrict access to the vulnerable features to protect their multi-tenant clusters.

This can be done by using an admission webhook container created by the Kubernetes Product Security Committee that is available to download here. Alternatively, external IPs can also be restricted by using OPA Gatekeeper.

To detect attacks exploiting this vulnerability, it is recommended that admins manually audit any external IP usage. At the same time though, users should not patch service status as audit events for patch service status requests authenticated to a user may be suspicious, according to Allclair.

Via BleepingComputer