ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster

*Error: ServiceAccounts and nodes that can modify services/status may set the status.loadBalancer.ingress.ip field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster

Bridgecrew Policy ID: BC_K8S_118
Checkov Check ID: CKV2_K8S_4
Severity: Medium

ServiceAccounts and nodes that can modify services/status may set the status.loadBalancer.ingress.ip field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster

Description

In Kubernetes, a ServiceAccount is an account that is associated with a specific service. A ServiceAccount can be granted specific permissions, known as "roles," that determine what actions it is allowed to perform within a Kubernetes cluster.

One potential issue with ServiceAccounts is that they can be used to exploit a vulnerability known as CVE-2020-8554. This vulnerability allows a ServiceAccount that has the ability to modify services and their status to set the status.loadBalancer.ingress.ip field to an arbitrary IP address.

If a ServiceAccount with these permissions sets the status.loadBalancer.ingress.ip field to an IP address that they control, they would be able to launch a man-in-the-middle (MiTM) attack against the cluster. This would allow them to intercept and modify traffic between the cluster and the specified IP address, potentially allowing them to gain access to sensitive information or perform unauthorized actions.

To prevent this type of attack, it is important to ensure that ServiceAccounts with the ability to modify services and their status do not have the ability to set the status.loadBalancer.ingress.ip field. This can be done by carefully configuring the roles and permissions associated with the ServiceAccounts in the cluster.

It is also important to note that nodes, which are the physical or virtual machines that run the Kubernetes cluster, can also potentially exploit the CVE-2020-8554 vulnerability if they have the ability to modify services and their status. Therefore, it is also important to ensure that nodes do not have these permissions to prevent potential MiTM attacks against the cluster.

Fix - Buildtime

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  annotations:
    services/status/patch: "[]"