from the just-make-containers-all-the-way-down dept.
First major security flaw in popular cloud container orchestrator Kubernetes discovered – and it may be impossible to tell if you have been compromised
As outlined on Redhat’s website, the security hole or “privilege escalation flaw” is a nasty piece of work. In a nutshell, it makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes cluster.
[...] The vulnerability itself is located in the Kubernetes API server. Using a specially crafted connection request, the hacker can connect through the Kubernetes API server direct to the backend. Once in the network, they can then send arbitrary requests over the same connection to the backend server.
Perhaps most alarmingly, the Kubernetes API server connections to the backend are all authenticated with Kubernetes Transport Layer Security (TLS) credentials – meaning all the nefarious connections appear above board and applications functioning as normal.
[...] “There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server,” reads the post.
It doesn’t take a whole lot of hacking-nous or access privileges to take advantage of the flaw, either: “In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation,” continues the post.
[...] It remains to be seen whether the security flaw has been used to attack any Kubernetes user.
(Score: -1, Troll) by Anonymous Coward on Wednesday December 05 2018, @11:32AM (5 children)
No, seriously, I don't run kurgettenets, neither do I hack the damned vegetables. Why should I care?
(Score: 0) by Anonymous Coward on Wednesday December 05 2018, @11:51AM (4 children)
I don't know. But apparently you do care enough to whinge about it. Good show!
(Score: 0) by Anonymous Coward on Wednesday December 05 2018, @12:00PM (1 child)
Such a waste of time waiting for something I can troll in a professional way.
How is that Brexit going?
(Score: 0) by Anonymous Coward on Wednesday December 05 2018, @12:20PM
A fair point. It's not too often that there are articles on here about your profession (knob-jockey to the poofy punters). But perhaps if you wait long enough...
Now get back to work! Quick as you like, matey!
WTF should I care? I'm no limey bastard!
(Score: 2) by DannyB on Wednesday December 05 2018, @03:50PM (1 child)
Gyou cgould switgh tgo kde gbut it ghas ksuch kdifferent gnaming konventions.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Thursday December 06 2018, @04:21AM
Oh Danny Boy [youtube.com]!
You're displaying [urbandictionary.com] your [oxforddictionaries.com] ignorance [merriam-webster.com]. Again [dictionary.com].
Carry on, ya damp squib!
(Score: 2) by NotSanguine on Wednesday December 05 2018, @12:00PM (4 children)
The Kubernetes flaw has been assigned CVE 2018-1002105.
More details can be had from here [github.com] and patches are currently available.
Affected versions:
Kubernetes v1.0.x-1.9.x
Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11)
Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5)
Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)
I am not aware of any sample exploits. Perhaps some other Soylentil could share?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Wednesday December 05 2018, @12:47PM (3 children)
There was me thinking Kubernetes were an alien race of robotic overlords from a cheesy '50s space opera. Am I now to believe it's just a container system like docker but with a stupid name?
(Score: 2) by NotSanguine on Wednesday December 05 2018, @01:32PM (2 children)
Believe whatever you like friend, now and/or in the future.
But remember to heed the wisdom of Bokonon:
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Wednesday December 05 2018, @01:55PM (1 child)
So Kubernetes is like Docker with the addition of a murderous userbase? Got it - Thanks.
(Score: 2) by c0lo on Wednesday December 05 2018, @02:09PM
Hack'em, they worth it.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Insightful) by Runaway1956 on Wednesday December 05 2018, @02:57PM (3 children)
It's simple really. Got your shit in the cloud? You've been compromised. I may be compromised, or I may not be. Those of you who put your stuff in the cloud have been compromised. Perhaps with this exploit, perhaps with another, but unless you encrypted all your stuff on your own machine BEFORE you put it in the cloud, you are compromised. And, no, if you used your cloud machine to do the encrypting, you're not exempt from my broad statement.
(Score: 2) by quietus on Wednesday December 05 2018, @05:06PM (2 children)
Which would provide an interested party with a whole bunch of data to run frequency analysis on, based on a good guess of document type, based on file size and, if you're interesting enough, type of company, perhaps even position/role within company. That you can encrypt the letter 'a' into a 1024 bytes long string of different characters doesn't mean anything when you use a well-known filetype format where the letter 'a' appears at position 25 in the file header.
The only solution is to overwrite everything with a new, randomly generated, encryption key at semi-irregular, yet frequent, times -- in which case a sensible person would rather look to local storage.
(Score: 2) by Runaway1956 on Wednesday December 05 2018, @05:29PM (1 child)
All true - but, if you're doing your own encryption, and using reasonably secure encryption, then you haven't simply handed your document(s) over to Big Brother. Those people who use the cloud to do their encryption can't even make such a claim. At least you've made some attempt, and the other guy now has to put at least minimal effort into decrypting your stuff. And, there are encryption methods that are claimed by fairly reliable people to be more than just reasonably secure. If you're really paranoid, you're not going to use the cloud, IMO. If you're moderately paranoid, you might use the cloud, but cause a lot of headache for the people who might want to hack you. Everyone chooses their own poison, I guess.
(Score: 2) by quietus on Wednesday December 05 2018, @09:55PM
I do appreciate the sentiment [acm.org], yet do not completely agree i.e. your remark that "there are encryption methods that are claimed by fairly reliable people to be more than just reasonably secure [baud.fr]".
You probably know, but at least some unsuspecting readers -- typically programmers -- assuredly do not realize that if you send a large number of packets encrypted with AES without regularly changing the symmetric encryption key, you could just as well have sent your data in the clear. Encrypted data storage, while it will slow down a curious person a bit: he'll feel the need to fire up his mathematical cluster [sdsc.edu] -- is similar.