Lucene search

K
myhack58佚名MYHACK58:62201892318
HistoryDec 07, 2018 - 12:00 a.m.

Kubernetes user privilege elevation vulnerability, the exposure to security risks-vulnerability warning-the black bar safety net

2018-12-0700:00:00
佚名
www.myhack58.com
35
kubernetes
cve-2018-1002105
user privilege elevation
vulnerability
security risks
remote access
data theft
production application
cloud infrastructure
api server
pod
linux container orchestration
open vulnerability
patch update
container security
devsecops
ci/cd pipeline security

EPSS

0.346

Percentile

97.2%

Recently, Kubernetes open source container software found a key of a user privilege elevation vulnerability, CVE-2018-1002105, which software is today most of the cloud infrastructure of the fixed component. This vulnerability can allow an attacker unrestricted remote access, steal data, or cause a production application to crash.
This vulnerability CVSS score of 9. 8, it is Kubernetes for the first time are found major vulnerabilities. Hackers can send a special handling request, to establish the Kubernetes API server and the access aggregation API server connection. Once the connection is established, you no longer need to check to send to the aggregation of the API server with any request, means that you can elevate privileges to any polymerization API server endpoint for API calls, as well as on the polymerization of the API server to execute any API request, for example Pod to create and execute arbitrary command and get the return result. In the default configuration, allow all users, authenticated and unauthenticated users, the implementation allow this privilege Elevation API calls.
In the actual production applications, Kubernetes belonging to the large frame service, the impact will be more widespread, this problem is particularly worrisome. Kubernetes uses a Linux container orchestration container orchestration of de facto standard de facto standard, it makes in the cloud orchestration containerization of applications become possible, supported by hundreds or even thousands of“simple”services consisting of a combination of services. With traditional application program compared to those through the orchestration of applications are typically more flexible, easier to manage and maintain. However, this architecture also means that a malicious access to a vulnerability of the API server, all of its sub-services are open. Therefore, the attacker can in-depth access to cloud infrastructure to perform malicious operations, including data theft, installation of malicious software, spying and reconnaissance, or change workloads to be destroyed.
Sumo Logic company CSO George Gerchow said:
Kubernetes this vulnerability the impact will leave a deep suffering. Kubernetes advantage is that it is the basic speed, orchestration, automation and scale. When there is a security issue, since the attack is easy to spread, these characteristics are easily compromised.
Kubernetes has been released to resolve the vulnerability the update v1. 10. 11, v1. 11. 5 and v1. 12. 3; the individual release the need to self-update. Red Hat has upgraded its OpenShift Container Platform here has the patch version;the user can access the Debian and SUSE distributions of the Security-Tracker page to get information about Kubernetes patch the latest information.
For most organizations, the container security only just beginning to appear on the horizon. Most with this type of deployment the enterprise organizations are unable to protect cloud-native applications. For example, in StackRox a recent survey, more than one-third of the institutions worry about their security policy cannot adequately address the container security issue; another 15% of people think that their strategy is not on the container security threat played enough attention, especially for Kubernetes deployment.
Gerchow noted:
As is well known, emerging technologies will always be safety regarded as ex post factors to consider, so security industry professionals are hoping that the vessel defect will be exposed. From a more long-term perspective, this is the development team and security team needs to be better collaboration of another support-how to by DevSecOps in the maintenance of agility while building defense and best practice. In General, most of the organizations in its container, CI/CD pipeline security and configuration are seem quite short-sighted.
Gerchow said, adding that
Taking into account today’s enterprise IT infrastructure, API universal, protecting them should be a top priority. API so that business interoperability is more smooth, we expect that in the future the API will continue to explosive growth-especially in the modern responsive applications, mobile applications and B2B applications. Even though the API there is a new risk that has not been a previous application covered, but Application Security is almost universal, protection API should be each of the using the API the organization’s focus.
API issues recent frequently appear in the news headlines, such as the recent United States Postal Service and Amazon Web vulnerabilities, both of which are API of improper use caused the problem.