C-0021 - Exposed sensitive interfaces
Framework
AllControls, MITRE
Severity
Medium
Description of the the issue
Exposing a sensitive interface to the internet poses a security risk. Some popular frameworks were not intended to be exposed to the internet, and therefore don’t require authentication by default. Thus, exposing them to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.Note, this control is configurable. See below the details.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, Service, StatefulSet
What does this control test
Checking if a service of type nodeport/loadbalancer to one of the known exploited interfaces (Apache NiFi, Kubeflow, Argo Workflows, Weave Scope Kubernetes dashboard) exists. Needs to add user config
Remediation
Consider blocking external interfaces or protect them with appropriate security tools.
Configuration
This control can be configured using the following parameters. Read CLI/UI documentation about how to change parameters.
Service names
servicesNames
Kubescape will look for the following services that exposes sensitive interfaces of common K8s projects/applications
Sensitive interfaces
sensitiveInterfaces
The following interfaces were seen exploited. Kubescape checks it they are externally exposed.
Example
No example
Updated 28 days ago