Tag Archive for: Kubernetes

Group permission misconfiguration exposes Google Kubernetes Engine clusters

/in


GKE also supports anonymous access, and requests made to the Kubernetes API without presenting a client certificate or an authorized bearer token will automatically be executed as the “system:anonymous” user and the “system:unauthenticated” group role. However, if a token or certificate is presented, the API request will be identified as the corresponding identity with its defined roles but also with the roles assigned to the system:authenticated group. By default, this group provides access to some basic discovery URLs that don’t expose sensitive information, but admins could expand the group’s permissions without realizing the implications. “Administrators might think that binding system:authenticated to a new role, to ease their managerial burden of tens or hundreds of users, is completely safe,” the researchers said. “Although this definitely makes sense at first glance, this could actually turn out to be a nightmare scenario.”

To execute authenticated requests to a GKE cluster, all a user needs to do is use Google’s OAuth 2.0 Playground and authorize their account for the Kubernetes Engine API v1. By completing the playgroup authorization process, any user with a Google account can obtain an authorization code that can be exchanged for an access token on the same page. This access token can then be used to send requests to any GKE cluster and successfully identify as system:authenticated, which includes the system:basicuser role.

The system:basicuser allows users to list all the permissions they currently have, including those inherited from the system:authenticated group by querying the SelfSubjectRulesReview object. This provides a simple way for attackers to investigate whether a cluster’s admin has overpermissioned system:authenticated.

The Orca researchers demonstrated the impact with an example where the admin decided to associate any authenticated user with the ability to read all resources across all apiGroups in the cluster. This is “something that can be somewhat useful when there is a real governance around the users which can authenticate to the cluster, but not on GKE,” they said. “Our attacker can now, in the current…

Source…

New cryptojacking malware can hack in Kubernetes clusters using this easy trick

/in


Dero is a relatively new cryptocurrency that places a strong emphasis on privacy. It utilizes directed acyclic graph (DAG) technology, which allows it to make the claim that its transactions are completely anonymous. The combination of anonymity and a greater rewards ratio makes it potentially attractive for cryptojacking organizations in comparison to Monero, which is the coin that is most often used by attackers or groups conducting miner operations. CrowdStrike has discovered the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. 

A cryptojacking operation using Monero was also discovered; this operation is aware of the Dero effort and is actively competing with it. The Monero campaign mines XMR on the host by elevating their privileges via the usage of DaemonSets and mounting the host as the root user.

Attackers specifically targeted Kubernetes clusters running on non-standard ports by scanning for and locating exposed vulnerable Kubernetes clusters that had the authentication setting —anonymous-auth=true. This setting enables anonymous access to the Kubernetes API and was the target of the attackers’ attention. It is possible for a user with adequate access to mistakenly expose a secure Kubernetes API on the host where kubectl is operating by performing the “Kubectl proxy” command. This is a less apparent approach to expose the secure Kubernetes cluster without authentication. The Kubernetes control plane application programming interface does not provide anonymous access out of the box in Kubernetes. Nevertheless, since the choice to make secure-by-default the default was delayed, and there are a variety of ways in which Kubernetes might be inadvertently exposed, there is still a legacy of exposed systems on the internet.

After the first engagement with the Kubernetes API, the attacker will next install a Kubernetes DaemonSet with the name “proxy-api.” On every node in the Kubernetes cluster, the DaemonSet installs a pod that contains malicious code. This makes it easier for attackers to operate a cryptojacking operation by simultaneously using the resources of all of the nodes in the network. The mining efforts that are…

Source…

Over 900K Kubernetes clusters are misconfigured! Is yours a target? • Graham Cluley

/in


Over 900K Kubernetes clusters are misconfigured! Is your cluster a target?

Many thanks to the great team at Teleport, who have sponsored my writing for the past week.

Kubernetes is an amazing platform for managing containers at scale. However, a recent study found that over 900,000 Kubernetes clusters are vulnerable to attack because they are misconfigured! This means that your Kubernetes cluster could be a target for malicious hackers if it is not properly secured. In this article, we will discuss how to secure your Kubernetes cluster and protect it from attack.

The scan from cyble found over 900K Kubernetes clusters exposed to the internet, with over 800 returning an `200 OK` Response code when queried. This means that an anonymous user can potentially get full access to the pods and the Kubernetes Dashboard.

Having a public Kubernetes API server endpoint isn’t necessarily a bad thing. With the correct authentication, it’s OK to keep it public. But as Kubernetes vulnerabilities are found, it’s a good idea to limit the API server endpoint access to only those that need it.

For people self hosts, you can limit IP addresses using software-based firewalls and if using a hosted Kubernetes service, many offer the ability to make the API either Public, Limited per CIDR or Private. Private only lets access via a VPC and completely disables public internet access to the API Server. If using AWS, EKS information on securing the public endpoint is available here.

Providing secure access at scale?
One problem with the above proposal is it’s either limited to static CIDR blocks (what happens if I work from home or go to the office?) — or I need a method of using a bastion or jump host to get into the VPC. This is where an OSS tool such as Teleport can provide the solution. Teleport is an identity-based access plane that can be deployed in a public subnet to provide a secure gateway to one or many Kubernetes clusters.

Decommission unused auth methods and unused tokens
Perform periodic review of unused auth methods and auth tokens and remove or disable them. Administrators often use certain tools to help ease setup with the Kubernetes cluster and later switch to other methods for managing clusters. It is important in this case that…

Source…

Software supply chain security risks surround Kubernetes

/in


Kubernetes and cloud-native computing sit squarely in the middle of a seismic shift in the last decade toward enterprise use of open source — and all the software supply chain security concerns that come with it.

This open source shift isn’t piecemeal: Four of the 17 industry sectors represented in the 2022 edition of an annual “Open Source Security and Risk Analysis” report by Synopsys include open source in 100% of their codebases; the remaining 13 industries use open source in 93% to 99% of their codebases.

Meanwhile, since the SolarWinds attack in late 2020, a series of high-profile exploits in open source code has revealed the far-reaching cybersecurity implications of its convoluted supply chains. In late 2021, the Log4j vulnerability exposed how open source libraries wrapped up in other dependencies could be used in potentially devastating and difficult-to-detect attacks, as enterprises had trouble determining whether vulnerable libraries were present in their environments, and where.

Against this backdrop, Kubernetes itself remains a relatively safe haven because of its large, highly invested community, according to the Synopsys report. But plenty of other open source components are involved in the Kubernetes ecosystem, including small, single-developer projects, whose maintenance — or lack thereof — can leave the wider platform vulnerable.

“GitHub has millions of projects in which the number of developers is in the single digits,” according to the Synopsys report. “One of the takeaways from Log4Shell’s discovery should be the need to create a path to mitigate the business risk associated with using open source software. The important distinction here is that open source itself doesn’t create business risk, but its mismanagement does.”

Kubernetes + automated deployments = supply chain risks

SolarWinds was compromised via its CI/CD process, and other recently uncovered open source security vulnerabilities took similar advantage of automated deployment and update mechanisms that researchers tricked into deploying malicious packages.

The 2022 “Cloud Native Threat Report” published by container runtime security vendor Aqua on April 20 described one such exploit,…

Source…