A new medium severity CVE has been discovered (CVE-2020-8554) affecting multitenant Kubernetes clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster. The announcement about the CVE explained:
“An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
This issue is a design flaw that cannot be mitigated without user-facing changes.”
As with any CVE, the first step is to identify if you are impacted. To help Kubernetes users, we have created instructions for identifying CVE-2020-8554 using our configuration validation software, Fairwinds Insights (free to use for 30 days), and OPA. Following these instructions, you do not need to have used OPA previously. In addition, by using the Insights Admission Controller, you can actually prevent this CVE from being introduced into new deployments.
Fairwinds Insights is a policy-driven platform that enforces custom policies - like identifying a CVE in your clusters - automating deployment guardrails and security best practices through Open Policy Agent (OPA) integrations at the CI/CD stage, or as an admission controller.
Instructions for Identifying CVE-2020-8554 in Your Clusters
Signup for Fairwinds Insights
If you are new to Fairwinds Insights, you’ll need to sign up and install the agent - follow the getting started guide.
If on a mac, run brew install FairwindsOps/tap/insights
If not on a Mac, or don’t have HomeBrew, download the binary from the Releases page and add it to your path
Copy the example policy
Download the insights-plugins repository. Inside that repository in the path plugins/opa/examples you will find all of the templated OPA policies for use with Fairwinds Insights. Copy plugins/opa/examples/lb-vuln-cve-2020-8554to your local directory.
Login to Fairwinds Insights, select your organization, then click on Settings in the menu bar. Scroll down to the Authentication Tokens section and click the Show Tokens button. Copy the token with a title of admin and open a command prompt and paste in: export FAIRWINDS_TOKEN= <token you copied>
From within the directory where you copied with the policy, run the following command: insights policy sync --organization <Insights org name>
Install the OPA report
Log into insights.fairwinds.com and navigate to the cluster you’d like to check. From there, follow these steps:
Navigate to the Report Hub menu
Add the Open Policy Agent (OPA) report
You will see a “ready to reinstall” link in the upper-right of the screen appear. Click this link to get a helm command you can use to reinstall the Fairwinds Insights Agent.
After about a minute you should see any affected resources listed in the Action Items table in Fairwinds Insights.
With Fairwinds Insights, you'll be able to identify and prevent CVE-2020-8554 from being a problem for your team.