Information disclosure via NET_RAW capability in Kubernetes containers

Medium Risk infrastructure-security
kubernetescapabilitiesnet-rawnetwork-securityinformation-disclosurepacket-sniffinglateral-movement

What it is

Kubernetes containers running with NET_RAW capability enabled can craft and sniff network packets, perform ARP spoofing, conduct network reconnaissance, and bypass network security controls. This capability enables attackers to perform lateral movement, data exfiltration, and network-based attacks within the cluster environment.

# VULNERABLE: Pod with default capabilities (includes NET_RAW)
apiVersion: v1
kind: Pod
metadata:
  name: vulnerable-app-pod
spec:
  containers:
  - name: app
    image: app:v1.0.0
    # VULNERABLE: No capabilities specified - includes NET_RAW by default

# VULNERABLE: Deployment with explicit NET_RAW capability
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vulnerable-network-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: network-app
  template:
    metadata:
      labels:
        app: network-app
    spec:
      containers:
      - name: network-tool
        image: network-tool:latest
        securityContext:
          capabilities:
            add: ["NET_RAW", "NET_ADMIN"]  # VULNERABLE: Explicit NET_RAW
# SECURE: Pod with NET_RAW capability dropped
apiVersion: v1
kind: Pod
metadata:
  name: secure-app-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: app:v1.0.0
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      capabilities:
        drop: ["ALL"]  # SECURE: Drop all capabilities including NET_RAW
        # add: ["NET_BIND_SERVICE"]  # Only add specific needed capabilities

# SECURE: Deployment with minimal capabilities
apiVersion: apps/v1
kind: Deployment
metadata:
  name: secure-network-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: network-app
  template:
    metadata:
      labels:
        app: network-app
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: network-tool
        image: network-tool:v1.0.0
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          capabilities:
            drop: ["ALL"]  # SECURE: Drop NET_RAW and all other capabilities
            # Only add specific capabilities if absolutely required
            # add: ["NET_BIND_SERVICE"]  # Example: only if binding to port <1024

💡 Why This Fix Works

Why it happens

Kubernetes containers run with NET_RAW capability enabled by default, allowing applications to create raw and packet sockets for arbitrary packet crafting and network sniffing operations.

Root causes

Default NET_RAW Capability

Kubernetes containers run with NET_RAW capability enabled by default, allowing applications to create raw and packet sockets for arbitrary packet crafting and network sniffing operations.

Overprivileged Container Configuration

Containers are configured with broad capability sets including NET_RAW without following least-privilege principles, providing unnecessary network manipulation capabilities to applications.

Fixes

1

Drop NET_RAW Capability

Explicitly drop NET_RAW in container securityContext capabilities by dropping ALL capabilities and only adding specifically required ones, preventing packet manipulation and network sniffing.

2

Use Network Policies

Implement Kubernetes Network Policies to restrict network traffic between pods and namespaces, limiting the impact of potential network-based attacks even if NET_RAW is compromised.

3

Implement Pod Security Standards

Deploy Pod Security Admission controllers or policy engines to automatically enforce capability restrictions and prevent containers from running with dangerous capabilities like NET_RAW.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure via net_raw capability in kubernetes containers and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities