New Year, More Kubernetes Vulnerabilities
Now that Kubernetes clusters are being deployed more widely in production environments, the level of attention being paid by cybersecurity researchers to a new platform in the enterprise will surely increase in 2021. As such, IT organizations should expect to see a trickle of Kubernetes vulnerabilities that were disclosed in 2020 to become a wave.
Whether those vulnerabilities being disclosed represent an immediate clear and present danger is up to IT organizations to decide.
For example, a man-in-the-middle Kubernetes vulnerability identified as CVE-2020-8554 that was disclosed at the end of 2020 only becomes an issue when a potential attacker has gained access to the credentials required to create or edit services and pods. A man-in-the-middle attack is one of several malicious activities that could be launched via what essentially would be considered an insider threat.
In this case, a malicious actor can intercept traffic in a multi-tenant cluster by exploiting the features of LoadBalancer or ClusterIP service types. Man-in-the-middle attacks are a fairly well-known attack vector in any IT environment, so it’s not likely this vulnerability is going to have a material impact on the rate at which Kubernetes clusters are being rolled out.
It’s critical for IT teams to be aware of what steps they should take to mitigate these potential threats. At the same time, cybersecurity vendors are encouraging researchers to discover as many vulnerabilities as possible as part of an effort to generate more awareness for their respective platforms and solutions.
IT organizations that are concerned about man-in-the-middle compromises can, for example, apply a policy that ensures no ClusterIP service that contains an externalIP’s spec can ever be created, says Om Moolchandani, CTO for Accurics, a provider of a set of Terrascan tools for securing infrastructure that is being managed as code. That approach eliminates the ability to divert traffic to an external IP address, he notes.
Organizations that adopt Kubernetes should also make sure they implement an admission controller webhook to ensure that every namespace’s service account is scoped to a role that does not allow PATCH requests to the LoadBalancer service.
Given the complexity of Kubernetes environments, however, a man-in-the-middle attack may difficult to detect in a sea of services. Snyk, a provider of tools for scanning application environments for vulnerabilities, has added a security rule that identifies whenever a service is accessing an external IP address. That activity would be indicative of a man-in-the-middle attack underway, says Ben Laplanche, a product manager for Snyk.
Regardless of the approach to mitigating this vulnerability, it’s only one of a series of vulnerabilities that will surely increase in 2021. Each IT organization will need to evaluate the level of risk attached to each vulnerability disclosure. Just because something is discovered does not mean some dire situation exists.
Of course, it’s also easy to become inured to vulnerability disclosures that many IT administrators will assume are going to be addressed in the next major update to the platforms they impact. That’s especially the case in organizations that tend to frequently update their Kubernetes clusters. There are, however, many organizations that continue to run older versions of Kubernetes clusters that, if left unattended, could become a significant problem.
As is always the case, however, IT administrators should continue to rely on their own best judgment when it comes to determining just how critical any vulnerability might really be.
