<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=521127644762074&amp;ev=PageView&amp;noscript=1">

Tell us more

Blog

Kubernetes CVE-2020-8554: Instructions to Identify if You’re Impacted

Image of a telescope on a boardwalk

A new medium severity CVE has been discovered (CVE-2020-8554) affecting multitenant Kubernetes clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster. The announcement about the CVE explained: 

“An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

This issue is a design flaw that cannot be mitigated without user-facing changes.”

As with any CVE, the first step is to identify if you are impacted. To help Kubernetes users, we have created instructions for identifying CVE-2020-8554 using our configuration validation software, Fairwinds Insights (free to use for 30 days), and OPA. Following these instructions, you do not need to have used OPA previously. In addition, by using the Insights Admission Controller, you can actually prevent this CVE from being introduced into new deployments. 

Fairwinds Insights is a policy-driven platform that enforces custom policies - like identifying a CVE in your clusters - automating deployment guardrails and security best practices through Open Policy Agent (OPA) integrations at the CI/CD stage, or as an admission controller.

Instructions for Identifying CVE-2020-8554 in Your Clusters 

Signup for Fairwinds Insights

If you are new to Fairwinds Insights, you’ll need to sign up and install the agent - follow the getting started guide.

Install Insights-cli

Follow the Insights CLI installation  instructions

  • If on a mac, run brew install FairwindsOps/tap/insights 

  • If not on a Mac, or don’t have HomeBrew, download the binary from the  Releases page and add it to your path

Copy the example policy

Download the  insights-plugins repository. Inside that repository in the path plugins/opa/examples you will find all of the templated OPA policies for use with Fairwinds Insights. Copy plugins/opa/examples/lb-vuln-cve-2020-8554to your local directory.

Check out the Fairwinds Insights documentation to learn more about OPA policies. 

Find your admin token

Login to  Fairwinds Insights, select your organization, then click on Settings in the menu bar. Scroll down to the Authentication Tokens section and click the Show Tokens button. Copy the token with a title of admin and open a command prompt and paste in: export FAIRWINDS_TOKEN= <token you copied>

Run command

From within the directory where you copied with the policy, run the following command: insights policy sync --organization <Insights org name>

Install the OPA report

Log into insights.fairwinds.com and navigate to the cluster you’d like to check. From there, follow these steps:

screenshot of OPA No reports - Apply custom policies to Kubernetes resources - available
  1. Navigate to the Report Hub menu 
  2. Add the Open Policy Agent (OPA) report 

  3. You will see a “ready to reinstall” link in the upper-right of the screen appear. Click this link to get a helm command you can use to reinstall the Fairwinds Insights Agent.

 

 

 

 

After about a minute you should see any affected resources listed in the Action Items table in Fairwinds Insights.

Screen shot of Fairwinds Insights Action Items

With Fairwinds Insights, you'll be able to identify and prevent CVE-2020-8554 from being a problem for your team. 

Kubernetes Policy Enforcement Fairwinds Insights