CVE-2020-8554 is a vulnerability that particularly affects multi-tenant Kubernetes clusters. If a potential attacker can create or edit services and pods, then they may be able to intercept traffic from other pods or nodes in the cluster.
An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. In addition, an attacker that can patch the status of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. Generally, this is considered a privileged operation and should not typically be granted to users.
This issue is a design flaw that cannot be mitigated without user-facing changes.
Detecting CVE-2020-8554 with Falco
Detecting exploitation attempts of this vulnerability is critical to preventing or stopping an attack. You can use Falco to detect malicious activity both at the host and the container level. Falco is the CNCF open-source project for runtime threat detection for containers and Kubernetes.
One of the benefits of Falco is in leveraging its powerful and flexible rules language. As a result, Falco will generate security events when it finds abnormal behaviors as defined by a customizable set of rules. Meanwhile, Falco comes with a handful of out-of-box detection rules.
Let’s see how we can use Falco to detect when someone is trying to create a Cluster-type service with external IP.
As mentioned, the CVE-2020-8554 vulnerability is due to a Kubernetes design flaw, which allows users with create/patch service privileges to redirect network traffic to external IP addresses. Often, when a service that is used only for internal communication is created, a private IP address is assigned to this service.
Since this is a private IP address, no one can access such a service in the Kubernetes cluster. However, users can configure external IPs associated with this service.
In fact, this is a legit use case. However, it could be abused by malicious users to conduct a Man-in-the-Middle attack.
Falco rule: Detect Kubernetes service created/patched with external IPs
The following Falco rule can help you detect if you are impacted by CVE-2020-8554:
- macro: service_with_external_IP condition: (jevt.value[/requestObject/spec/externalIPs] exists and jevt.value[/requestObject/spec/externalIPs] != "<NA>") - rule: Create/Update ClusterIP Service with External IP desc: Detect an attempt to modify a ClusterIP type service with external IP assigned (CVE-2020-8554)" condition:kevt and service and kmodify and jevt.value[/responseObject/spec/type]=ClusterIP and service_with_external_IP output: ClusterIP type service created/updated with external IP assigned (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace operation=%ka.verb ports=%ka.req.service.ports external IP=%jevt.value[/requestObject/spec/externalIPs]) priority: WARNING source: k8s_audit
When someone creates or patches a service with external IP addresses, the security event output looks like this in Sysdig Secure (built on Falco):
Though creating a service with external IP addresses is a legit use case, it is still rare or limited to only certain services. DevOps teams should monitor all of the services created/patched with external IP addresses, or block such activities using a tool like the Open Policy Agent (OPA).
CVE-2020-8554 is a design flaw that allows traffic interception from other pods in a Kubernetes cluster. Read how to detect CVE-2020-8554 exposure with @falco_orgClick to tweet
Keep in mind that since CVE-2020-8554 is a vulnerability that doesn’t have a fix due to a design flaw, you should monitor your Kubernetes cluster closer with proper security tools.