Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-8554 PoC — Kubernetes 安全漏洞

Source
https://github.com/jrmurray000/CVE-2020-8554
Associated Vulnerability
Title:Kubernetes 安全漏洞 (CVE-2020-8554)
Description:Kubernetes是美国Linux基金会的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。 Kubernetes 存在安全漏洞,攻击者可利用该漏洞可以通过Kubernetes上的LoadBalancer ExternalIP充当中间人,以便在会话中读取或写入数据。
Description
Mitigate CVE-2020-8554 with Policy Controller in Anthos
Readme
# Mitigate CVE-2020-8554 with Policy Controller


This repository contains configuration files for using Policy Controller, which is based on the open source OPA Gatekeeper project, to block Kubernetes Services from public IP access.

The [security advisory for this issue](https://groups.google.com/g/kubernetes-announce/c/GPpZzVtGwiI) states:
>A security issue was discovered with Kubernetes affecting multitenant clusters. If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster.
>
>This issue has been rated medium severity (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), and assigned CVE-2020-8554.
>
>An attacker that is able to create a ClusterIP service and set the spec.externalIPs field can intercept traffic to that IP. An attacker that is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

This repository contains a Template and Constraint that restrict Services to a specific allow list of public IPs, thus limiting the ability of an attacker to add IPs outside of trusted values.

You can apply these policies using [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller), which is included as part of [Anthos Config Management](https://cloud.google.com/anthos/config-management). To customize the allowed IP addresses, edit or add items to the "allowedIPs" list in [k8sExternalIPs_constraint.yaml](https://github.com/jrmurray000/CVE-2020-8554/blob/main/k8sExternalIPs_constraint.yaml).

## Blocking by CIDR


If you just want to prevent an IP in a specific CIDR range use the files `k8sExternalIPsCIDR_constraint.yaml` and `k8sExternalIPsCIDR_template.yaml`. For example, if you want to prevent an attacker from specifying the `spec.externalIPs` field to the default Kubernetes Services CIDR.
File Snapshot

 [4.0K]  /data/pocs/a1797f59f855690fe7eb80bed5af8c87147b8094
├── [ 375]  k8sExternalIPsCIDR_constraint.yaml
├── [1.0K]  k8sExternalIPsCIDR_template.yaml
├── [ 227]  k8sExternalIPs_constraint.yaml
├── [1.0K]  k8sExternalIPs_template.yaml
├── [ 11K]  LICENSE
└── [2.0K]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.