Detect CVE-2020-8554 using Falco

CVE-2020-8554 is a vulnerability that particularly affects multi-tenant Kubernetes clusters. If a potential attacker can create or edit services and pods, then they may be able to intercept traffic from other pods or nodes in the cluster.

An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. In addition, an attacker that can patch the status of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. Generally, this is considered a privileged operation and should not typically be granted to users.

This issue is a design flaw that cannot be mitigated without user-facing changes.

Severity

Medium

Detecting CVE-2020-8554 with Falco

Detecting exploitation attempts of this vulnerability is critical to preventing or stopping an attack. You can use Falco to detect malicious activity both at the host and the container level. Falco is the CNCF open-source project for runtime threat detection for containers and Kubernetes.

One of the benefits of Falco is in leveraging its powerful and flexible rules language. As a result, Falco will generate security events when it finds abnormal behaviors as defined by a customizable set of rules. Meanwhile, Falco comes with a handful of out-of-box detection rules.

Let’s see how we can use Falco to detect when someone is trying to create a Cluster-type service with external IP.

As mentioned, the CVE-2020-8554 vulnerability is due to a Kubernetes design flaw, which allows users with create/patch service privileges to redirect network traffic to external IP addresses. Often, when a service that is used only for internal communication is created, a private IP address is assigned to this service.

CVE-2020-8554 Kubernetes Falco detection setup

Since this is a private IP address, no one can access such a service in the Kubernetes cluster. However, users can configure external IPs associated with this service.

CVE-2020-8554 Kubernetes Falco detection setup 2

In fact, this is a legit use case. However, it could be abused by malicious users to conduct a Man-in-the-Middle attack.

Falco rule: Detect Kubernetes service created/patched with external IPs

The following Falco rule can help you detect if you are impacted by CVE-2020-8554:

- macro: service_with_external_IP
  condition: (jevt.value[/requestObject/spec/externalIPs] exists and jevt.value[/requestObject/spec/externalIPs] != "<NA>")
 
- rule: Create/Update ClusterIP Service with External IP
  desc: Detect an attempt to modify a ClusterIP type service with external IP assigned (CVE-2020-8554)"
  condition:kevt and service and kmodify and jevt.value[/responseObject/spec/type]=ClusterIP and service_with_external_IP
  output: ClusterIP type service created/updated with external IP assigned (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace operation=%ka.verb ports=%ka.req.service.ports external IP=%jevt.value[/requestObject/spec/externalIPs])
  priority: WARNING
  source: k8s_audit

When someone creates or patches a service with external IP addresses, the security event output looks like this in Sysdig Secure (built on Falco):

CVE-2020-8554 Kubernetes Sysdig Secure event

Mitigation Strategy

Though creating a service with external IP addresses is a legit use case, it is still rare or limited to only certain services. DevOps teams should monitor all of the services created/patched with external IP addresses, or block such activities using a tool like the Open Policy Agent (OPA).


Conclusion

Keep in mind that since CVE-2020-8554 is a vulnerability that doesn’t have a fix due to a design flaw, you should monitor your Kubernetes cluster closer with proper security tools.

Check out Falco and Sysdig Secure for more information on how these solutions can help mitigate the vulnerability.

Stay up to date

Sign up to receive our newest.

Related Posts

Getting Started Writing Falco Rules

Runtime Security

5 Essential workflows for secure DevOps