fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Linux Kernel Bug can let Hackers Escape Kubernetes Containers

Linux Kernel Bug can let Hackers Escape Kubernetes Containers

A vulnerability affecting Linux kernel and tracked as CVE-2022-0185 can be used to escape containers in Kubernetes, giving access to resources on the host system.

Security researchers warn that exploiting this security issue is easier and more promising than initially estimated, and that patching is an urgent matter since the exploit code will soon become public.

Container breakouts are a special kind of cyber-attacks that can pave the way to deeper infiltration and lateral movement on the compromised network.

Also Read: The Difference Between GDPR And PDPA Under 10 Key Issues

A not-so-limited flaw

CVE-2022-0185 is a heap-based buffer overflow vulnerability in the “File System Context” Linux kernel component that can lead to an out-of-bounds write, denial of service, and arbitrary code execution.

Triggering the flow enables an attacker to change values in the kernel memory and access any process running on the same node.

Based on the security notices released by Linux distributions last week, the flaw can be exploited by a local user to escalate their privileges on the system.

However, for the exploit process to work, the attacker needs to leverage an unprivileged namespace or use “unshare” to enter a namespace with the CAP_SYS_ADMIN permission.

This capability isn’t the default setting on Docker, and using the “–privileged” flag when starting the container isn’t common practice.

Moreover, the “unshare” command is blocked by Docker’s “seccomp” filter by default, so running the command isn’t permitted in the first place.

Analysts from Aquasec note that when Docker or other container platforms are used in a Kubernetes cluster, the seccomp filter is disabled by default, so the “unshare” command isn’t blocked.

unshare command running as normal in Kubernetes
unshare command running as normal in Kubernetes
Source: Aquasec

As such, an attacker could run the command and get a shell with full capabilities, including running code on the compromised system as root.

Credited for the discovery of this vulnerability are members of Crusaders of Rust (CoR) CTF team William Liu and Jamie Hill-Daniel. In total, the team has 21 members from Europe and the U.S.

Also Read: PDPA Compliance Singapore: 10 Areas To Work On

Talking to BleepingComputer, the CoR members said that they plan to publish the exploit code for CVE-2022-0185 in a little over a week, to give more time for patching. The code will be available in CoR’s GitHub repository.

The heap overflow bug impacts all Linux kernel versions starting from 5.1-rc1 through the latest patched ones (5.4.173, 5.10.93, 5.15.1). It affects Ubuntu 20/21, Debian 11, and some Red Hat packages.

Exploit code for this vulnerability has been created and one of the researchers that discovered it demonstrated that it can be leveraged successfully.

The CoR team also said that they have also created working exploit code for Google Container optimized operating system for Docker containers.

Mitigation

Upgrading the Linux kernel to version 5.16.2 or later addresses the problem. However, the update is not available for all Linux distributions yet and building the kernel from source is not an option embraced by many system administrators.

In these cases, users are advised to disable unprivileged user namespaces and only keep pods with CAP_SYS_ADMIN only on workloads where it’s absolutely essential. 

On Ubuntu, use this command to disable unprivileged namespaces:

sysctl -w kernel.unprivileged_userns_clone=0

Red Hat users who don’t require containerized deployments may disable user namespaces with the following command:

# echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf
# sysctl -p /etc/sysctl.d/userns.conf

If you need unprivileged containers, ensure that the seccomp filter is actively blocking the “unshare” call.

For individual workloads, seccomp can be added as a definition in the “securityContext” field. Kubernetes has a detailed tutorial on how to do that, so make sure to check it out.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us