CVE-2020-8558: 
NixOS vulnerability analysis and mitigation

A security issue (CVE-2020-8558) was discovered in kube-proxy which allows adjacent hosts (hosts running in the same LAN or layer 2 domain) to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. The vulnerability was discovered in June 2020 and affects Kubernetes versions kube-proxy v1.18.0-1.18.3, v1.17.0-1.17.6, and versions prior to 1.16.10 (Kubernetes Announce).

The vulnerability occurs because kube-proxy sets net.ipv4.conf.all.route_localnet=1, which causes the system not to reject traffic to localhost that originates on other hosts. The issue has been rated medium (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) with a score of 5.4. However, in clusters where the API Server insecure port is not disabled, the issue has been rated high (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) with a score of 8.8 (GitHub Issue).

If exploited, this vulnerability could allow attackers to reach services that are intended to be accessible only via localhost. For example, if a cluster administrator runs a TCP service on a node that listens on 127.0.0.1:1234, that service would be potentially reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service. In cases where the API Server's insecure port is not disabled, an attacker could potentially execute arbitrary API requests on the cluster (Kubernetes Discussion).

Prior to upgrading, the vulnerability can be mitigated by manually adding an iptables rule on nodes: 'iptables -I INPUT --dst 127.0.0.0/8 ! --src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP'. Additionally, it is strongly recommended to disable the API Server insecure port by adding '--insecure-port=0' to the kubernetes API server command line. Fixed versions include kube-proxy v1.19.0+, v1.18.4+, v1.17.7+, and v1.16.11+ (AWS Security Bulletin).

Major cloud providers responded to this vulnerability. AWS released updated Amazon ECS Optimized AMIs and Amazon EKS-Optimized AMIs to address the issue. AWS Fargate was not affected by this vulnerability. The vulnerability was reported by János Kövér from Ericsson, with additional impacts reported by Rory McCune from NCC Group and Yuval Avrahami and Ariel Zelivansky from Palo Alto Networks (AWS Security Bulletin).