Ensure no remote code execution CVEs are found in containers with privilege and NET_RAW capabilities
Error: A container with an RCE CVE has privilege and NET_RAW capabilities that can lead to a network hijack
Bridgecrew Policy ID: BC_P3D_3
Severity: CRITICAL
A container with an RCE CVE has privilege and NET_RAW capabilities that can lead to a network hijack
Description
Network hijacks are when an attacker is able to gain control and spoof, tamper with or monitor traffic to and from a host. If a container has a remote code execution (RCE) vulnerability and privilege access and NET_RAW capabilities, a bad actor could execute code in the container that could abuse the NET_RAW access to perform ARP and DNS spoofing among other things.
Fix - Buildtime
Multiple services
-
If possible, patch the vulnerability by bumping the package.
-
Explicitly prevent a user from running as root or user 0.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: <policy name>
spec:
runAsUser:
+ rule: 'MustRunAsNonRoot'
or
rule: 'MustRunAs'
ranges:
+ - min: <min user, 1 or higher>
max: <max user>
- Explicitly drop NET_RAW and/or ALL capabilities.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: <policy name>
spec:
requiredDropCapabilities:
+ -ALL
or
+ -NET_RAW
Updated 10 months ago