NA

CVE-2020-8554

Vulnerability Summary

Kubernetes could allow a remote authenticated malicious user to bypass security restrictions, caused by a flaw when using LoadBalancer or ExternalIPs. By utilize man-in-the-middle, an attacker could exploit this vulnerability to patch the status of a LoadBalancer service.

Vulnerability Trend

Mailing Lists

A security issue was discovered with Kubernetes affecting multitenant clusters If a potential attacker can already create or edit services and pods, then they may be able to intercept traffic from other pods (or nodes) in the cluster This issue has been rated medium severity ( CVSS:30/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L <wwwfirstor ...

Github Repositories

Universal Kubernetes mutating operator

KubeMod KubeMod is a universal Kubernetes mutating operator It introduces ModRule — a custom Kubernetes resource which allows you to intercept the deployment of any Kubernetes object and apply targeted modifications to it or reject it before it is deployed to the cluster Use KubeMod to: Customize opaque Helm charts and Kubernetes operators Build a system of policy rul

Setup for a K8s home lab running on a single host (e.g. Intel NUC)

Kubernetes in a Home Lab Environment This repository should contain all required steps, manifests and resources to set up a K8s in a home lab environment Its status should be viewed as "work in progress" since I plan to improve various things in the future In the end, I will probably run some applications on top of this technology stack but the main goal is to impro

Kubernetes security tool for policy enforcement

k-rail is a workload policy enforcement tool for Kubernetes It can help you secure a multi tenant cluster with minimal disruption and maximum velocity Why k-rail? Suggested usage Installation Removal Viewing policy violations Violations from realtime feedback Violations from the Events API Violations from logs Supported policies No ShareProcessNamespace No Exec No Bin

ClusterIP Validating Webhook

externalip-webhook created to address CVE-2020-8554 externalip-webhook, is a validating webhook which prevents services from using random external IPs Cluster administrators can specify list of CIDRs allowed to be used as external IP by specifying allowed-external-ip-cidrs parameter Webhook will only allow creation of services which doesn't require external IP or whose e

Mitigate CVE-2020-8554 with Policy Controller in Anthos

CVE-2020-8554 Mitigate CVE-2020-8554 with Policy Controller in Anthos

[EMBARGO] CVE-2020-8554: Man in the middle using LoadBalancer or ExternalIPs

externalip-webhook created to address CVE-2020-8554 externalip-webhook, is a validating webhook which prevents services from using random external IPs Cluster administrators can specify list of CIDRs allowed to be used as external IP by specifying allowed-external-ip-cidrs parameter Webhook will only allow creation of services which doesn't require external IP or whose e

Prisma Cloud Compute Admission rules to mitigate Kubernetes CVE-2020-8554

Prisma Cloud Compute Mitigations for Kubernetes CVE-2020-8554 This repository contains Prisma Cloud Compute Admission rules that mitigate exploitation of CVE-2020-8554, an unpatched Kubernetes vulnerability To ensure correct usage, please follow the instructions provided in the 'Prisma Cloud Mitigation' section of our response post, Protecting Against Kubernetes CVE-

2020年发布到阿尔法实验室微信公众号的所有安全资讯汇总

欢迎关注阿尔法实验室微信公众号 20201231 [漏洞] 2020年增加的10个最严重的CVE blogdetectifycom/2020/12/30/top-10-critical-cves-added-in-2020/ Chromium RawClipboardHostImpl中的UAF漏洞 bugschromiumorg/p/chromium/issues/detail?id=1101509 [工具] Sarenka:OSINT工具,将来自shodan、censys等服务的数据集中在一处

PoC in GitHub 2020 CVE-2020-0014 (2020-02-13) It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android

Recent Articles

All Kubernetes versions affected by unpatched MiTM vulnerability
BleepingComputer • Sergiu Gatlan • 08 Dec 2020

The Kubernetes Product Security Committee has provided advice on how to temporarily block attackers from exploiting a vulnerability that could enable them to intercept traffic from other pods in multi-tenant Kubernetes clusters in man-in-the-middle (MiTM) attacks.
 (aka K8s), originally developed by Google and now maintained by the Cloud Native Computing Foundation, is an open-source system designed to help automate the deployment, scaling, and management of containerized workloads, s...

The Register

Patch Tuesday For December's Patch Tuesday bug bonanza, Microsoft handed out fixes for a mere 58 vulnerabilities while various other orgs addressed shortcomings in their own software in separate, parallel announcements.
On the one hand, vendors glommed to Microsoft's Patch Tuesday on the pretense that users and system administrators could plan their patching around a regular, monthly cadence. On the other hand, it lets developers emit all their bad news at once and ideally avoid headlines ...