Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-8554 PoC — Kubernetes man in the middle using LoadBalancer or ExternalIPs

Source
https://github.com/jrmurray000/CVE-2020-8554
Associated Vulnerability
Title:Kubernetes man in the middle using LoadBalancer or ExternalIPs (CVE-2020-8554)
Description:Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Description
Mitigate CVE-2020-8554 with Policy Controller in Anthos
Readme
# Mitigate CVE-2020-8554 with Policy Controller


This repository contains configuration files for using Policy Controller, which is based on the open source OPA Gatekeeper project, to block Kubernetes Services from public IP access.

The [security advisory for this issue](https://groups.google.com/g/kubernetes-announce/c/GPpZzVtGwiI) states:
>A security issue was discovered with Kubernetes affecting multitenant clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster.
>
>This issue has been rated medium severity (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), and assigned CVE-2020-8554.
>
>An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

This repository contains a Template and Constraint that restrict Services to a specific allow list of public IPs, thus limiting the ability of an attacker to add IPs outside of trusted values.

You can apply these policies using [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller), which is included as part of [Anthos Config Management](https://cloud.google.com/anthos/config-management). To customize the allowed IP addresses, edit or add items to the "allowedIPs" list in [k8sExternalIPs_constraint.yaml](https://github.com/jrmurray000/CVE-2020-8554/blob/main/k8sExternalIPs_constraint.yaml).

## Blocking by CIDR


If you just want to prevent an IP in a specific CIDR range use the files `k8sExternalIPsCIDR_constraint.yaml` and `k8sExternalIPsCIDR_template.yaml`. For example, if you want to prevent an attacker from specifying the `spec.externalIPs` field to the default Kubernetes Services CIDR.
File Snapshot

 [4.0K]  /data/pocs/a1797f59f855690fe7eb80bed5af8c87147b8094
├── [ 375]  k8sExternalIPsCIDR_constraint.yaml
├── [1.0K]  k8sExternalIPsCIDR_template.yaml
├── [ 227]  k8sExternalIPs_constraint.yaml
├── [1.0K]  k8sExternalIPs_template.yaml
├── [ 11K]  LICENSE
└── [2.0K]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →