Kubernetes Privilege Escalation: Container Escape == Cluster Admin?

Presented at Black Hat USA 2022, Aug. 11, 2022, 11:20 a.m. (40 minutes)

Kubernetes has become the de-facto way of running containerized applications on the cloud or on premise. Threat actors noticed, launching Kubernetes-tailored campaigns and releasing dedicated malware with the ultimate goal of compromising clusters. On the defensive side, hardening containers remains a top priority. Defenders hope to prevent container escapes, where a malicious container breaks out and gains control over its underlying node VM.<br><br>Unfortunately, even with cutting-edge sandboxing techniques, it's inevitable that zero day vulnerabilities in container runtimes, the Linux Kernel, or Kubernetes itself, would allow sophisticated attackers to break out of a rogue container. That being said, an escape isn't necessarily game over! Defenders can still *contain* container breakouts: ensure a compromised node cannot take over the entire cluster. <br><br>Kubernetes have done a great job at de-privileging the node agent, the Kubelet. But nodes also host other credentials - their pods' service account tokens. Following a container escape, the attacker can easily harvest and abuse tokens of neighboring pods. In other words, the impact of a container escape is largely dictated by the pods on the attacked node. Which pods run on the average node? Are powerful ones a rare sight or a common practice?<br><br>In this talk, Yuval and Shaul will reveal the powerful system pods quietly installed by popular Kubernetes platforms. They'll show how attackers may abuse these pods, and demo new privilege escalation techniques. Covering managed Kubernetes services and common open-source add-ons, they'll demonstrate how on the most popular platforms today - a single container escape is often enough to take over the entire cluster.<br><br>Looking ahead, they'll present tools that flush out powerful pods and identify privilege escalation paths in a cluster, alongside mitigations that can detect and prevent such attacks. Join them as they embark on the journey of ensuring container escape != cluster admin.

Presenters:

• Shaul Ben Hai - Security Researcher, Palo Alto Networks
  Shaul Ben Hai is a security researcher at Palo Alto Networks, focusing on open source vulnerabilities in the context of cloud and container security. Shaul spent the last year researching vulnerabilities in open source frameworks and building innovative solutions that improve vulnerability management at Palo Alto Networks.
• Yuval Avrahami - Principal Security Researcher, Palo Alto Network
  Yuval Avrahami is a principal security researcher at Palo Alto Networks, dealing with hacking and securing anything related to containers and cloud. Yuval found and disclosed numerous vulnerabilities across the cloud landscape, including container breakouts, Kubernetes CVEs, and critical issues in public cloud services. Most recently he published Azurescape, the first cross-account container takeover in the public cloud. Yuval previously spoke at Black Hat, KubeCon, DEFCON and other conferences.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#kubernetes-privilege-escalation-container-escape--cluster-admin-26344

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / Living in a Secure Container, Down by the River
• BruCON 0x0A (2018) / Outside the Box: Breakouts and Privilege Escalation in Container Environments
• Black Hat USA 2022 / The COW (Container On Windows) Who Escaped the Silo