Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to use Falco to detect vulnerabilities CVE-2020-8554. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Overview of vulnerabilities

Vulnerability CVE-2020-8554 is a vulnerability that can affect a multi-user Kubernetes cluster. If potential attackers can create or edit services and Pod, they can block traffic from other Pod or nodes in the cluster.

If attackers can create a ClusterIP service and set the .spec.externalIPs field, they can block all traffic to that IP. In addition, attackers can fix the state of the LoadBalancer service and achieve a similar effect by setting status.loadBalancer.ingress.ip. Generally speaking, this is a privileged operation, and ordinary users are not generally granted access to the operation.

This vulnerability is a Kubernetes design flaw, and it will be difficult to fix or mitigate if the user-level operating mechanism is not modified.

Safety according to level

Medium and dangerous

Loophole analysis

Kubernetes (K8s for short) is an open source, which is used to manage containerized applications on multiple hosts in the cloud platform. The goal of Kubernetes is to make the deployment of containerized applications simple and efficient. Kubernetes provides a mechanism for application deployment, planning, updating and maintenance. K8s was first developed by Google and is currently maintained by the Cloud Native Computing Foundation Foundation.

The researchers found a design vulnerability in K8s that affects all K8s versions, and multi-tenant clusters that allow tenants to create and update services are the most vulnerable targets. If an attacker can create or edit a service or pod, he may be able to block traffic from other pod in the cluster. If a service is created with any external IP, traffic to that IP in the cluster is routed to the service, so that attackers with permission to create services with external IP can intercept traffic from any target IP.

The CVE-2020-8554 vulnerability is a medium-risk vulnerability that can be remotely exploited by attackers with basic tenant privileges such as create and edit services and pod without any user interaction.

Because the External IP (external IP) service is not widely used in multi-tenant clusters, and the patch service / status permissions granted to tenant LoadBalancer IP are not recommended, this vulnerability affects only a small number of Kubernetes deployments.

Use Falco to detect CVE-2020-8554

Detecting exploit attempts or attacks against this vulnerability is the key to preventing such network attacks, and we can now use Falco to detect activities against this vulnerability at the host and container levels. Falco is an open source project of CNCF that can be used for runtime threat detection for containers and Kubernetes.

One of the benefits of Falco is its powerful and flexible rules language, which generates and reports security events for us when Falco discovers abnormal behavior defined by a set of customizable rules. At the same time, Falco also provides some ready-made detection rules for us to use.

Next, let's take a look at how to use Falco to detect when someone tries to create a cluster-type service event using an external IP.

As mentioned earlier, the vulnerability CVE-2020-8554 is caused by a design flaw in Kubernetes. It allows users with create / repair service privileges to redirect network traffic to an external IP address. In most cases, when a service is created for intercom only, a private IP address is assigned to the service.

Since this is a private IP address, no one in the Kubernetes cluster can access the service. However, the user can also configure and bind an external IP address to the service.

In fact, this kind of operation behavior is in accordance with the specification. However, malicious attackers can also use this feature to perform man in the middle (MitM) attacks.

Falco rules: detect Kubernetes services bound to external IP addresses

If you think you are affected by the vulnerability CVE-2020-8554, you can use the following Falco rules for vulnerability detection:

-macro: service_with_external_IP condition: (jevt.value[ / requestObject/spec/externalIPs] exists and jevt.value[ / requestObject/spec/externalIPs]! = "")-rule: Create/Update ClusterIP Service with External IP desc: Detect an attempt to modify a ClusterIP type service with externalIP assigned (CVE-2020-8554) "condition:kevt and service and kmodify and jevt.value[ / responseObject/spec/type] = ClusterIP and service_with_external_IP output: ClusterIP type service created/updated with externalIP assigned (user=%ka.user.name service=%ka.target.name ns=%ka.target.namespace operation=%ka.verb ports=%ka.req.service.ports externalIP =% jevt.value [/ requestObject/spec/externalIPs]) priority: WARNING source: k8s_audit

When someone creates or modifies a service using an external IP address, Falco outputs the following security events:

Vulnerability CVE-2020-8554 is a vulnerability that cannot be fixed due to design defects, so we recommend that users should use appropriate security tools to monitor the security of Kubernetes clusters.

The above is the editor for you to share how to use Falco to detect vulnerabilities CVE-2020-8554, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.