medium

GKE and EKS CAP_NET_RAW metadata service MITM root privilege escalation

Published Mon, Jun 15th, 2020
Platforms

Summary

An attacker with access to a hostNetwork=true container with CAP_NET_RAW capability can listen to all the traffic going through the host and inject arbitrary traffic, allowing to tamper with most unencrypted traffic (HTTP, DNS, DHCP, ...), and disrupt encrypted traffic. In GKE the host queries the metadata service at http://169[.]254.169.254 to get information, including the authorized SSH keys. By manipulating the metadata service responses and injecting our own SSH key, it is possible to gain root privilege on the host.

Affected Services

GKE, EKS

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Mon, Jun 15th, 2020
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Etienne Champetier, null