Cilium Zero Trust Networking Protections Against CVE-2020-8554

Contributed by Jed Salazar, Senior Solutions Architect, and Martynas Pumputis, Software Engineer

You’ve probably heard about the new Man in the Middle (MITM) vulnerability in Kubernetes. If you’re unfamiliar, a MITM vulnerability works by redirecting a victim’s legitimate network traffic through a secret attacker on the network, where the attacker can eavesdrop or actively tamper with the victim’s data before sending it to its intended destination. There have been several MITM vulnerabilities in Kubernetes, most of which take advantage of the default overly-permissive CAP_NET_RAW permissions in Kubernetes. However this vulnerability is unique in two ways:

  1. MITM attacks generally make use of common types of network vulnerabilities, whereas this vulnerability affects the API layer of Kubernetes itself.
  2. Unlike most vulnerabilities that are assigned a Common Vulnerabilities and Exposures (CVE), there’s no patch or hotfix you can deploy to protect your environment.

This vulnerability is also unique in another way: if you’re running Cilium without kube-proxy, you aren’t vulnerable to it at all. Let’s talk about how.

CVE-2020-8554

The vulnerability affects multitenant clusters by an attacker creating a ClusterIP service and updating the ExternalIP field with an IP address they intend to intercept traffic to and eavesdrop on. When running with kube-proxy, protection from this vulnerability requires that you implement a fairly complex set of mitigations such as Open Policy Agent (OPA) Gatekeeper or an admission webhook.

Cilium with kube-proxy

CVE with `kube-proxy`

At Isovalent (the company that makes Cilium), we’ve been busy building Zero Trust Networking into Cilium, mitigating common MITM attacks, and providing a safe-by-default network environment for multitenant clusters. To enable this, we’ve redesigned and replaced kube-proxy, meaning you can remove kube-proxy entirely and use Cilium’s replacement instead. When running Cilium with kube-proxy disabled, you are not vulnerable to this CVE and are not forced to implement complex mitigations at the API layer.

Cilium’s Zero Trust Approach to Security

How does Cilium prevent this vulnerability? Cilium performs a number of automatic network security mitigations based on Zero Trust Networking concepts. For example we don’t translate an ExternalIP address for traffic sourced from pods unless the ExternalIP is associated with a known node. If you’re running kube-proxy in parallel with Cilium, you’re vulnerable to this attack because iptables will happily route traffic sourced from pods to an arbitrary ExternalIP.

To make sure you’re getting built-in protection from MITM and other kinds of network attacks, we recommend running Cilium without kube-proxy.

Cilium without kube-proxy

CVE with kube-proxy-free

Zero Trust Networking, mitigations against common types of MITM attacks, as well as significant performance improvements can be an intriguing reason to move to Cilium’s kube-proxy replacement.

If you’re interested in learning more about Cilium’s built in Zero Trust features, or just want to say hello, reach out to us on Slack.