The Call is Coming From Inside The Cluster: Mistakes that Lead to Whole Cluster Pwnership

Presented at DEF CON 30 (2022), Aug. 14, 2022, noon (45 minutes)

Kubernetes has taken the DevOps world by storm, but its rapid uptake has created an ecosystem where many popular solutions for common challenges—storage, release management, observability, etc.—are either somewhat immature or have been “lifted and shifted” to Kubernetes. What critical security smells can pentesters look for when looking at the security of a cluster?

We are going to talk through five different security problems that we have found (and reported, no 0-days here) in popular open-source projects and how you can look for similar vulnerabilities in other projects.

Presenters:

• Will Kline - Senior Principal / Dark Wolf Solutions
  Will Kline is a Senior Principal with Dark Wolf Solutions, where he works with different customers to modernize their containerized development environments. He’s been working with Linux containers since the pre-Docker days. He has been attending DEF CON since DEF CON 21. He has been coming back almost every year, becoming increasingly involved with the SOHOplessly Broken IoT CTF and the Wireless CTF. At DEF CON 25 his team “Wolf Emoji” took a Black Badge. In his recent work with Dagan, he has been excited to see the intersection between his off-hours hacking fun and real world cloud architecture and SRE work.
• Dagan Henderson - Principal / RAFT
  Dagan Henderson is a Principal Engineer at Raft, LLC, where he specializes in Kubernetes platform development. Dagan’s interest in hacking dates back to the late 80s when AOL and BBSs were the spots (yep, he hosted a very short lived BBS from his home PC—and it got hacked). His first useful computer program was a DOS BAT on a bootable floppy that removed a very persistent Windows 95 Trojan, which he wrote for the mom-and-pop computer shop he worked at for his first job. While in college, Dagan began working for a medical services provider, and when his acumen with computer systems became well-known, he was asked to evaluate a new electronic medical records system. He was able to identify several information-disclosure vulnerabilities and work with the development team to address them. As his career in software engineering took off, Dagan remained committed to developing secure applications, which is essentially the art of not developing insecure systems, and he remains committed to the practice today. As a 25-year veteran of the industry, Dagan has seen (and made) many, many mistakes. He knows where bodies get buried.

Links:

• https://forum.defcon.org/node/242293
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Dagan Henderson, Will Kline - The Call is Coming From Inside The Cluster.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Dagan Henderson, Will Kline - The Call is Coming From Inside The Cluster.srt (subtitles)
• https://www.youtube.com/watch?v=0pN-x1q-PZs

Similar Presentations:

• ShmooCon 2023 / Escalating Attack and Defense on Cloud-based Kubernetes — The Difference Between a Container and a Pod is a Pod can Begin an Adventure!
• BSidesDC 2019 / Building Secure Kubernetes Clusters with Identity Management
• ShellCon 2020 Virtual / Attacking and Defending Kubernetes: Inception-Style