Json Yaml Capability Net Bind Service Granted
Description
Detects when Kubernetes containers are granted the NET_BIND_SERVICE capability without proper capability restrictions in the security context. This could allow containers to bind to privileged network ports (below 1024), potentially enabling privilege escalation or unauthorized network access.
Detection Strategy
• Examines Kubernetes manifest files for container specifications
• Checks if securityContext is defined for containers
• Validates if capabilities section properly restricts NET_BIND_SERVICE through add/drop controls
• Reports a vulnerability when NET_BIND_SERVICE capability is available without proper restrictions
Vulnerable code example
apiVersion: v1
kind: Pod
metadata:
name: vulnerable-pod
spec:
containers:
- name: container1
image: nginx...✅ Secure code example
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
automountServiceAccountToken: false # Prevent access to service account credentials
securityContext:
runAsNonRoot: true # Prevent running as root user...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.