TF 0404 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
NET_RAW capability added
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | omission |
Description
Granting the NET_RAW capability to containers allows them to craft raw network packets, which is generally unnecessary and increases the attack surface. This capability can enable unintended or malicious network activities from within the container.
Impact
If exploited, attackers could use the NET_RAW capability to intercept network traffic or send spoofed packets, potentially leading to data leaks, network attacks, or lateral movement within the environment. This undermines network security controls and can compromise both application and infrastructure integrity.
Resolution
To mitigate potential security risks, it is strongly recommended to remove the NET_RAW capability from 'containers[].securityContext.capabilities.add'. It is advisable to follow the practice of dropping all capabilities and only adding the necessary ones.