Kubernetes MiTM Vulnerability Underscores Need for Virtual Patching

CVE-2020-8554, a man-in-the-middle (MiTM) vulnerability affecting all Kubernetes versions, has begun drawing attention from the cloud-native community for its ability to allow authenticated-but-malicious users to remotely bypass security restrictions. This vulnerability is the latest high-profile example showing that securing container and Kubernetes pipelines across the full application life cycle—from the beginning of development, into testing and through to production—requires overcoming significant and ever-evolving challenges. It’s possible for critical vulnerabilities, such as CVE-2020-8854, that compromise security to enter the CI/CD pipeline at any stage, especially given the expanded attack surfaces represented by Kubernetes, Docker and equivalent solutions or related tools.

As hackers increasingly turn their attention to testing the security of these technologies for weaknesses, best practices call for introducing robust vulnerability scanning, production infrastructure hardening and auditing to ensure compliance with an organization’s particular regulatory obligations. Unfortunately, DevOps and security teams can find themselves in the position of recognizing vulnerabilities for which no fixes are yet available. Worse, these vulnerabilities are often discovered after security scanning in the build phase is complete, existing within registry images or even containers currently deployed into production. At the same time, malware that’s able to embed itself within the application, zero-day attacks and attacks leveraging phishing techniques or insider participants each represent threats that cannot be fully neutralized by scanning or other security preparations.

Virtual Patching Solves ‘Impossible’ Security Threats

The solution to defeating these attacks is to protect container and Kubernetes environments with runtime security featuring deep network and endpoint protection for containers and hosts. Within that security framework, virtual patching introduces the ability to address vulnerabilities for which there is currently no available fix.

While it often must be accepted that vulnerabilities exist in applications in production, that’s not to say the threat they represent can’t be disarmed. Virtual patching protects runtime assets such as containers and hosts by eliminating opportunities for existing vulnerabilities to be exploited. With virtual patching, it isn’t required to update or replace the running asset—a welcome factor in scenarios where such an update is unavailable or impossible.

Virtual patching relies on a container network firewall with Layer 7 detection capabilities to automate the identification and whitelisting of all normal and acceptable application container behaviors, from network connections to protocols and processes to file activities. In a secure environment, containers and hosts must be monitored continuously to recognize any suspicious or unauthorized behaviors. By automatically blocking connections carrying potential threats and locking down container behavior to allow only whitelisted activities, virtual patching protects workloads and hosts as surely as a traditional software patch. With a virtual patch in place preventing abnormal behavior, attacks are thwarted as soon as any unauthorized connection, process or file access is attempted.

Automate Vulnerability Protection With Security as Code and Behavioral Learning

To make container firewall whitelisting and maintenance processes automated and more effective, it’s a best practice to leverage security policy as code and behavioral learning. Security rules for new containerized applications can be defined and deployed as code in an automated manner, utilizing Kubernetes and standard YAML files in the same method used to create deployment manifests. This technique makes it possible to introduce automated protection for new or updated workloads as part of their deployment into production. Application behavioral learning is another key method for automating the recognition of appropriate activities that should be whitelisted. In combination with security policy as code, behavioral learning can enable teams to automated security throughout the full application life cycle, from development to production.

In the absence of virtual patching, security and DevOps teams are too often overwhelmed with known vulnerabilities that they’re able to detect but unable to address properly. Implementing virtual patching capabilities as part of a security strategy that automates the whitelisting of safe container behaviors, introduces new possibilities when it comes to securing container and Kubernetes environments. Virtual patching also enables teams to overcome embedded malware, zero-day attacks and insider or phishing attacks as well, by disallowing the connections and processes those threats utilize. In this way, organizations can go into production with known vulnerabilities in their applications, without worry.

Fei Huang

Fei Huang is the Chief Strategy Officer at NeuVector, a cloud-native Kubernetes security platform provider. Fei has 20+ years of experience in enterprise security, virtualization, cloud and embedded software. He was part of the founding team of CloudVolumes (acquired by VMware) and cofounder of Provilla, a DLP security company acquired by TrendMicro. Fei also holds several patents in security, virtualization and software architecture.

Fei Huang has 5 posts and counting. See all posts by Fei Huang