Ensure no remote code execution CVEs are found in containers with privilege and NET_RAW capabilities
Error: A container with an RCE CVE has privilege and NET_RAW capabilities that can lead to a network hijack
Bridgecrew Policy ID: BC_P3D_3
A container with an RCE CVE has privilege and NET_RAW capabilities that can lead to a network hijack
Network hijacks are when an attacker is able to gain control and spoof, tamper with or monitor traffic to and from a host. If a container has a remote code execution (RCE) vulnerability and privilege access and NET_RAW capabilities, a bad actor could execute code in the container that could abuse the NET_RAW access to perform ARP and DNS spoofing among other things.
Fix - Buildtime
If possible, patch the vulnerability by bumping the package.
Explicitly prevent a user from running as root or user 0.
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: <policy name> spec: runAsUser: + rule: 'MustRunAsNonRoot' or rule: 'MustRunAs' ranges: + - min: <min user, 1 or higher> max: <max user>
- Explicitly drop NET_RAW and/or ALL capabilities.
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: <policy name> spec: requiredDropCapabilities: + -ALL or + -NET_RAW
Updated about 2 months ago