CVE-2020-8558
2 minute read
The kube-proxy component was found to set the kernel parameter net.ipv4.conf.all.route_localnet=1 in both iptables and ipvs modes to allow local loopback access. An attacker may use the container sharing the host network, or bind and listen to the TCP/UDP service of the local 127.0.0.1 on the cluster node to access the same LAN or adjacent node under the second layer network to obtain interface information. If your service does not set the necessary security certification, it may cause the risk of information leakage.
Scope
When an attacker has the capability of configuring host network or can access a container instance with the CAP_NET_RAW capability, he can get the socket service information by listening to 127.0.0.1 on the target node. If there is an exposed service that can be accessed by 127.0.0.1 and does not require any authentication on the target host, then the service information can be obtained by the attacker.
CVSS scores
- If the cluster
API Serveropens the non-authenticated port (default 8080), then the attacker may obtain information about theAPI Serverinterface, the threat level is high-risk vulnerabilities, and the score is 8.8. - If the cluster
API Servercloses non-authenticated ports by default, the threat level is medium-risk vulnerability, and the score is 5.4.
Prevention
It is recommended that you take the following preventative measures:
If the business container needs to use the host network mode and listen on a non-secure port, you can mitigate this vulnerability by manually adding the iptables rule on the node.
Run the following command to configure the iptables rule in the cluster to deny non-local access traffic to 127.0.0.1:
iptables -I INPUT --dst 127.0.0.0/8 ! --src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
If the cluster does not need to open the API Server insecure port, you can add --insecure-port=0 to the kubernetes API server command line to disable the port.
If untrusted containers are running in the cluster, you can prohibit Container from enabling the CAP_NET_RAW capability, and disable the Container’s CAP_NET_RAW capability in pod spec.
securityContext:
capabilities:
drop:
- "NET_RAW"
Use PodSecurityPolicy to restrict deployment privileges or shared host network containers. In addition, you can configure requiredDropCapabilities in the policy to force container deployment to close the CAP_NET_RAW capability.
Fixed by official
- v1.18.4
- v1.17.7
- v1.16.11
Fixed by KLTS
- v1.15.12-lts.1 kubernetes/kubernetes#92040
- v1.14.10-lts.1 kubernetes/kubernetes#92040
- v1.13.12-lts.1 kubernetes/kubernetes#92040
- v1.12.10-lts.1 CVE-2020-8558.1.12.patch
- v1.11.10-lts.1 CVE-2020-8558.1.12.patch
- v1.10.13-lts.1 TODO
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.