Lateral movement

Controller creating containers with the NET_RAW capability enabled

Risk Level

Informational (4)

Platform(s)
  • N/A

Compliance Frameworks

Description

Linux Capabilities refer to the division of the privileges, which are traditionally associated with superuser, into distinct units which can be independently enabled and disabled. The Kubernetes controller {K8sController} was found configured with settings that create containers without dropping the CAP_NET_RAW capability, this means that the container can use RAW sockets and binding to any address, allowing spoofing attacks. The capabilities of a container are defined in the SecurityContext of the container and are responsible for limiting the potential attack vectors beyond the pod-level context. These can limit the capabilities added to or dropped from a container. An attacker can use the CAP_NET_RAW capability on an infected container to redirect network traffic to/from pods on the same node, giving the attacker the possibility for lateral movement and compromising the cluster.
  • Recommended Mitigation

    Consider adding the CAP_NET_RAW capability to the dropped capabilities of the containers in {K8sController} controller in accordance with the Principle of Least Privileges