FixVibe
Покрыто FixVibemedium

Traffic Interception in Kubernetes via ExternalIPs (CVE-2020-8554)

FixVibe repo scans can flag Kubernetes Service manifests that explicitly set non-empty spec.externalIPs as static source/config hardening evidence for CVE-2020-8554. The check does not inspect live clusters, RBAC, admission policy, deployed Services, or traffic paths.

CVE-2020-8554CWE-283

CVE-2020-8554 describes Kubernetes Service ExternalIPs traffic-interception risk when a user who can create or patch Services can choose external IPs. Kubernetes has recommended disabling or tightly controlling this feature, and has announced deprecation of Service ExternalIPs in Kubernetes 1.36.

When this matters

A manifest with spec.externalIPs is not proof of compromise. It is source/config evidence that the cluster owner should confirm the route is intentional and that only trusted administrators or tightly scoped automation can set ExternalIPs.

Covered by FixVibe

FixVibe can flag Kubernetes Service manifests in GitHub repo scans when spec.externalIPs is explicitly set to a non-empty list. This is a static repository check. It does not inspect live clusters, enumerate deployed Services, review RBAC, evaluate admission policy, send traffic, or prove traffic interception.

Remediation

Remove ExternalIPs unless they are required. Prefer a provider LoadBalancer, Ingress, Gateway API, MetalLB with approved address pools, or another cluster-approved routing path. If ExternalIPs must remain, restrict Service create/update permissions, enforce a deny-by-default or allowlist admission policy, audit live Services, and monitor future Service changes.

Traffic Interception in Kubernetes via ExternalIPs (CVE-2020-8554) — FixVibe research · FixVibe