Ensure no remote code execution CVEs are found in containers with privilege and NET_RAW capabilities

Error: A container with an RCE CVE has privilege and NET_RAW capabilities that can lead to a network hijack

Bridgecrew Policy ID: BC_P3D_3
Severity: CRITICAL

A container with an RCE CVE has privilege and NET_RAW capabilities that can lead to a network hijack

Description

Network hijacks are when an attacker is able to gain control and spoof, tamper with or monitor traffic to and from a host. If a container has a remote code execution (RCE) vulnerability and privilege access and NET_RAW capabilities, a bad actor could execute code in the container that could abuse the NET_RAW access to perform ARP and DNS spoofing among other things.

Fix - Buildtime

Multiple services

  1. If possible, patch the vulnerability by bumping the package.

  2. Explicitly prevent a user from running as root or user 0.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: <policy name>
spec:
    runAsUser:
+   rule: 'MustRunAsNonRoot'
or
    rule: 'MustRunAs'
    ranges:
+   - min: <min user, 1 or higher>
      max: <max user>
  1. Explicitly drop NET_RAW and/or ALL capabilities.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: <policy name>
spec:
  requiredDropCapabilities: 
+   -ALL
or
+ -NET_RAW