Cve-2020-8558

Abstract CVE-2020-8558 is a vulnerability in Kubernetes kube-proxy (versions ≤ 1.18.0) that allowed an attacker with access to a node’s pod network to bypass localhost ( 127.0.0.1 ) restrictions. Due to insufficient filtering of --nodeport-addresses and default net.ipv4.conf.all.route_localnet=1 behavior, services bound to the loopback address on a Kubernetes node became reachable from other pods or cluster nodes. This paper describes the technical root cause, exploitation vector, impact, and remediation strategies. 1. Introduction Kubernetes uses kube-proxy to manage network rules (iptables/IPVS) for Services. By design, certain node-local services (e.g., kubelet metrics, debugging endpoints) bind only to 127.0.0.1 to prevent remote access. However, CVE-2020-8558 allowed remote pods to reach those loopback-bound services by sending packets to the node’s primary IP address when route_localnet was enabled.

Example rule added:

This vulnerability was and assigned a CVSS v3 score of 5.9 (Medium) – later upgraded by some vendors to 7.5 due to practical exploitability in shared cluster environments. 2. Technical Root Cause 2.1 The route_localnet Setting Linux kernel parameter: cve-2020-8558

: Connection refused. With CVE-2020-8558 : Metrics returned. 6. Mitigation & Patching 6.1 Official Fix Kubernetes v1.18.3+ adds explicit iptables rules to drop packets arriving on non-loopback interfaces destined for 127.0.0.0/8 unless specifically allowed. However, CVE-2020-8558 allowed remote pods to reach those

Negligible if fully updated, but legacy clusters remain exposed. Document version 1.0 – Security Research certain node-local services (e.g.