lolloj - Fotolia

Critical Kubernetes vulnerability could have widespread effects

News roundup: A critical Kubernetes vulnerability was found in the system's API server and could have a wide reach. Plus, ESET found 21 new Linux malware families, and more.

A critical Kubernetes vulnerability has been uncovered, marking the cloud container orchestration system's first major security problem.

The vulnerability, tracked as CVE- 2018-1002105 , is aprivilege escalation flaw in Kubernetes' open source software that could enable attackers to gain remote access through the Kubernetes API server. Once attackers are connected to the vulnerable API server, they can connect to any attached back-end server. With that access, attackers can then execute arbitrary code on the back-end servers, and because they are connected to the Kubernetes API server, the execution requests will appear legitimately authenticated.

This means attackers can exploit the Kubernetes vulnerability to perform any malicious activity, such as installing malware, and gain extensive access to the cloud infrastructure.

The vulnerability scored a 9.8 (critical) CVSS score due to the breadth of the flaw; Kubernetes is the most widely used container orchestration system, as it's the standard for Linux systems.

According to the security alert posted on GitHub on Monday, detecting whether this vulnerability has been exploited is a complicated process.

"Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log," the advisory read. "The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server."

The Kubernetes vulnerability was initially discovered by Darren Shepherd, the co-founder and chief architect of software company Rancher Labs Inc. Shepherd said he came across the vulnerability in November but that the bug goes back a couple years.

"This issue can allow any authenticated users with the right privileges to get more privileges," Shepherd wrote in a blog post about the vulnerability. "If you are running a hard multi-tenant cluster (untrusted users) you should be concerned."

However, Shepherd doesn't think the Kubernetes vulnerability is all bad.

"Since this is the first critical CVE for Kubernetes, it is getting a lot of attention, but I don't think it's as bad as most people think," he wrote. "In fact, I think quite the opposite: this CVE shows how strong the community is and how well run it is."

In other news:

  • On Nov. 5, cybersecurity firm ESET announced it had uncovered 21 new Linux malware families. Some malware families have been operating unseen for roughly four years and operate as trojanized versions of the OpenSSH client. During this attack, the malware would be developed as second-stage tools in order for more complex attacks to take place. From here, a Linux system would be compromised and then a legitimate OpenSSH installation would be replaced with the trojanized version. ESET researchers noted that the creators of the Linux malware Windigo were the first ones to discover these strains after analyzing the Windigo botnet and its Ebury backdoor. It was here they found Ebury's internal mechanism scanning for locally installed OpenSSH backdoors. ESET also found 18 of the 21 families to have a credential-stealing feature in order to steal passwords and keys, while 17 of the 21 families had a backdoor mode that allowed attackers a way to connect to the compromised machine. In order to mitigate these attacks, users should use strong passwords or IP filtering system and make sure everything is up to date.
  • HackerOne announced an expansion of its free online training program, Hacker101, via a partnership with HackEDU, an interactive cybersecurity training company, that will include five sandbox environments. The sandboxed training environments are modeled after five real vulnerability reports that ranked the most popular publicly disclosed reports on HackerOne's Hacktivity, such as XXS attacks, remote code execution, SQL injection, clickjacking and XXE. The vulnerability sandboxes, developed by HackEDU, are the latest in its interactive coursework. HackerOne's Hacker101 was released in January of this year and, since, thousands of individuals have used its courses.
  • Australia recently became the first country to adopt encryption-busting laws after the Labor party allowed the bill to pass without making changes it previously claimed were necessary. This law, known as the Assistance and Access Bill 2018, will grant law enforcement the ability to require technology companies to create and seed vulnerabilities onto one or more target technologies that are associated with a certain person. The passing of this bill came after Labor stated its support for the bill, but only after their amendments were also approved. However, since the lower house is adjourning for the year, any amendment approvals proposed in the senate would have to go back to the lower house with the first possible date for approval Feb. 12, 2019. Labor considered this too long of a wait and decided to pass it despite thinking its text was "inadequate."

Dig Deeper on Cloud Patch Management and Cloud Configuration Management