Lateral movement

Controller creating containers with the NET_RAW capability enabled

  • N/A

Compliance Frameworks


Linux Capabilities refer to the division of the privileges, which are traditionally associated with superuser, into distinct units which can be independently enabled and disabled. The Kubernetes controller {K8sController} was found configured with settings that create containers without dropping the CAP_NET_RAW capability, this means that the container can use RAW sockets and binding to any address, allowing spoofing attacks. The capabilities of a container are defined in the SecurityContext of the container and are responsible for limiting the potential attack vectors beyond the pod-level context. These can limit the capabilities added to or dropped from a container. An attacker can use the CAP_NET_RAW capability on an infected container to redirect network traffic to/from pods on the same node, giving the attacker the possibility for lateral movement and compromising the cluster.