Dec 11, 2020

Cilium Zero Trust Networking Protections Against CVE-2020-8554

Contributed by Jed Salazar, Senior Solutions Architect, and Martynas Pumputis, Software Engineer

You've probably heard about the new Man in the Middle (MITM) vulnerability in Kubernetes. If you're unfamiliar, a MITM vulnerability works by redirecting a victim's legitimate network traffic through a secret attacker on the network, where the attacker can eavesdrop or actively tamper with the victim's data before sending it to its intended destination. There have been several MITM vulnerabilities in Kubernetes, most of which take advantage of the default overly-permissive CAP_NET_RAW permissions in Kubernetes. However this vulnerability is unique in two ways:

  1. MITM attacks generally make use of common types of network vulnerabilities, whereas this vulnerability affects the API layer of Kubernetes itself.
  2. Unlike most vulnerabilities that are assigned a Common Vulnerabilities and Exposures (CVE), there's no patch or hotfix you can deploy to protect your environment.

This vulnerability is also unique in another way: if you're running Cilium without kube-proxy, you aren't vulnerable to it at all. Let's talk about how.

CVE-2020-8554

The vulnerability affects multitenant clusters by an attacker creating a ClusterIP service and updating the ExternalIP field with an IP address they intend to intercept traffic to and eavesdrop on. When running with kube-proxy, protection from this vulnerability requires that you implement a fairly complex set of mitigations such as Open Policy Agent (OPA) Gatekeeper or an admission webhook.

Cilium with kube-proxy

CVE with kube-proxy

At Isovalent (the company that makes Cilium), we've been busy building Zero Trust Networking into Cilium, mitigating common MITM attacks, and providing a safe-by-default network environment for multitenant clusters. To enable this, we've redesigned and replaced kube-proxy, meaning you can remove kube-proxy entirely and use Cilium's replacement instead. When running Cilium with kube-proxy disabled, you are not vulnerable to this CVE and are not forced to implement complex mitigations at the API layer.

Cilium's Zero Trust Approach to Security

How does Cilium prevent this vulnerability? Cilium performs a number of automatic network security mitigations based on Zero Trust Networking concepts. For example we don't translate an ExternalIP address for traffic sourced from pods unless the ExternalIP is associated with a known node. If you're running kube-proxy in parallel with Cilium, you're vulnerable to this attack because iptables will happily route traffic sourced from pods to an arbitrary ExternalIP.

To make sure you're getting built-in protection from MITM and other kinds of network attacks, we recommend running Cilium without kube-proxy.

Cilium without kube-proxy

CVE with kube-proxy-free

Zero Trust Networking, mitigations against common types of MITM attacks, as well as significant performance improvements can be an intriguing reason to move to Cilium's kube-proxy replacement.

If you're interested in learning more about Cilium's built in Zero Trust features, or just want to say hello, reach out to us on Slack.

Popular posts

Cilium 1.16 – High-Performance Networking With Netkit, Gateway API Gamma Support, BGPV2 and More!
Jul 25, 2024

Cilium 1.16 – High-Performance Networking With Netkit, Gateway API Gamma Support, BGPV2 and More!

Cilium 1.16 has arrived with Netkit, Gateway API Gamma Support, Multicast Datapath, BGPV2 Support, Security improvements, and more

Technology
External
Cilium netkit: The Final Frontier in Container Networking Performance
Jul 11, 2024

Cilium netkit: The Final Frontier in Container Networking Performance

Learn about netkit, new in Cilium 1.16, that replaces traditional veth devices with a high-performance alternative for container networking

Technology
External
Interview: Hubble Integration Added to DigitalOcean Kubernetes
Feb 29, 2024

Interview: Hubble Integration Added to DigitalOcean Kubernetes

Exclusive Interview with DigitalOcean on Integrating Hubble into their Kubernetes Offering

Community