All Your Containers Are Belong to Us

Presented at BSidesSF 2019, March 4, 2019, 4:10 p.m. (30 minutes)

The rising adoption of container orchestration tools, such as Kubernetes, has enabled developers to scale cloud applications quickly and efficiently. However with this adoption comes with a new set of security challenges, such as securing the APIs used to manage these ecosystems. We recently conducted a research study that uncovered more than 20,000 publicly accessible management nodes open to the Internet. In this talk we will discuss the implications of the findings and provide recommendations for running orchestration systems securely in the public cloud. The following platforms are exposed and part of the research: Kubernetes, Mesos Marathon, RedHat OpenShift, Docker Swarm, and Portainer (Docker Management). Not only are these management UIs available on the web but we also discovered that their APIs are also available. Some are wide open. We will uncover how we did this research, who is the most popular cloud provider hosting the containers, which regions are most popular, and show demonstrations of exploitation and discover.

Presenters:

• James Condon - Lacework
  James Condon is Director of Research at Lacework. James is a security veteran with over 10 years of experience in incident response, intelligence analysis, and automated threat detection. James was previously Director of Threat Research at ProtectWise (acquired by Verizon), an Incident Analyst for Mandiant, and a Special Agent in USAF OSI.

Links:

• https://bsidessf2019.sched.com/event/JdeX/all-your-containers-are-belong-to-us

Similar Presentations:

• BruCON 0x0A (2018) / Outside the Box: Breakouts and Privilege Escalation in Container Environments
• LocoMocoSec 2019 / Defending Modern DevOps Environments: A Hands-on Approach: Kubernetes and Docker Demystified Training
• ToorCon San Diego TwentyOne (2019) / Down the sinkhole with Kubernetes