Service Notices

All Notices > Security Notices > Kubernetes LocalHost Boundary Bypass Vulnerability (CVE-2020-8558)

Kubernetes LocalHost Boundary Bypass Vulnerability (CVE-2020-8558)

Jul 13, 2020 GMT+08:00

I. Overview

Kubernetes officially disclosed that kube-proxy, a core component, has a localhost boundary bypass vulnerability (CVE-2020-8558). With this vulnerability, attackers, through containers in the same LAN, can reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace, to obtain interface information. If a service on the port requires no additional authentication, the service is vulnerable to attacks.

If you are a kube-proxy user, check your service and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://github.com/kubernetes/kubernetes/issues/92315

II. Severity

Important: when the API Server enables insecure port (8080 by default)

Moderate: when the API Server disables the insecure port

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

kubelet/kube-proxy v1.18.0-1.18.3

kubelet/kube-proxy v1.17.0-1.17.6

kubelet/kube-proxy 1.16.10 and earlier

Secure versions:

kubelet/kube-proxy master

kubelet/kube-proxy v1.18.4+

kubelet/kube-proxy v1.17.7+

kubelet / kube-proxy v1.16.11+

IV. Vulnerability Handling

Secure versions have been provided with this vulnerability fixed. If your service version falls into the affected range, upgrade it to a secure version. For details, see the official documentation:

https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Workaround:

1. If your service container needs to use the host network mode and listen on an insecure port, you can manually add an iptables rule on the node. This rule will reject traffic to 127.0.0.1 which does not originate on the node.

iptables -I INPUT --dst 127.0.0.0/8 ! --src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP

If your cluster needs not to enable the API Server insecure port, add the --insecure-port=0 flag to your Kubernetes API Server command line to disable the insecure port.

2. If your cluster allows untrusted pods to run containers, disable the CAP_NET_RAW capabilities in the manifest file.

securityContext:

      capabilities:

        drop: ["NET_RAW"]

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.