Dec 11, 2020

Cilium Zero Trust Networking Protections Against CVE-2020-8554

Contributed by Jed Salazar, Senior Solutions Architect, and Martynas Pumputis, Software Engineer

You've probably heard about the new Man in the Middle (MITM) vulnerability in Kubernetes. If you're unfamiliar, a MITM vulnerability works by redirecting a victim's legitimate network traffic through a secret attacker on the network, where the attacker can eavesdrop or actively tamper with the victim's data before sending it to its intended destination. There have been several MITM vulnerabilities in Kubernetes, most of which take advantage of the default overly-permissive CAP_NET_RAW permissions in Kubernetes. However this vulnerability is unique in two ways:

  1. MITM attacks generally make use of common types of network vulnerabilities, whereas this vulnerability affects the API layer of Kubernetes itself.
  2. Unlike most vulnerabilities that are assigned a Common Vulnerabilities and Exposures (CVE), there's no patch or hotfix you can deploy to protect your environment.

This vulnerability is also unique in another way: if you're running Cilium without kube-proxy, you aren't vulnerable to it at all. Let's talk about how.

CVE-2020-8554

The vulnerability affects multitenant clusters by an attacker creating a ClusterIP service and updating the ExternalIP field with an IP address they intend to intercept traffic to and eavesdrop on. When running with kube-proxy, protection from this vulnerability requires that you implement a fairly complex set of mitigations such as Open Policy Agent (OPA) Gatekeeper or an admission webhook.

Cilium with kube-proxy

CVE with `kube-proxy`

At Isovalent (the company that makes Cilium), we've been busy building Zero Trust Networking into Cilium, mitigating common MITM attacks, and providing a safe-by-default network environment for multitenant clusters. To enable this, we've redesigned and replaced kube-proxy, meaning you can remove kube-proxy entirely and use Cilium's replacement instead. When running Cilium with kube-proxy disabled, you are not vulnerable to this CVE and are not forced to implement complex mitigations at the API layer.

Cilium's Zero Trust Approach to Security

How does Cilium prevent this vulnerability? Cilium performs a number of automatic network security mitigations based on Zero Trust Networking concepts. For example we don't translate an ExternalIP address for traffic sourced from pods unless the ExternalIP is associated with a known node. If you're running kube-proxy in parallel with Cilium, you're vulnerable to this attack because iptables will happily route traffic sourced from pods to an arbitrary ExternalIP.

To make sure you're getting built-in protection from MITM and other kinds of network attacks, we recommend running Cilium without kube-proxy.

Cilium without kube-proxy

CVE with kube-proxy-free

Zero Trust Networking, mitigations against common types of MITM attacks, as well as significant performance improvements can be an intriguing reason to move to Cilium's kube-proxy replacement.

If you're interested in learning more about Cilium's built in Zero Trust features, or just want to say hello, reach out to us on Slack.

Popular posts

Cilium for Kubernetes networking: Why we use it and why we love it
Mar 07, 2023

Cilium for Kubernetes networking: Why we use it and why we love it

Palark switch from Flannel to Cilium and gained many benefits. Find out in the blog

Community
External
A well-secured project: Cilium Security Audits 2022
Feb 13, 2023

A well-secured project: Cilium Security Audits 2022

CNCF-commissioned audit by Ada Logics concludes that Cilium is a well-secured project

Community
External
Announcing the Cilium annual report
Jan 26, 2023

Announcing the Cilium annual report

Learn how fast the Cilium project contributors and end users grew in 2022

Community
External