Catégorie : Kubernetes (AKS)

16 septembre 202016 septembre 2020

AKS |Azure Kubernetes Service: Node disk DOS by writing to container /etc/hosts (CVE-2020-8557)

Hi,

In this article I would like share with you a new vulnerability against Azure Kubernetes.

Title: Node disk DOS by writing to container /etc/hosts

CVE: CVE-2020-8557

Description:

The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Any clusters allowing pods with sufficient privileges to write to their own /etc/hosts files are affected. This includes containers running with CAP_DAC_OVERRIDE in their capabilities bounding set (true by default) and either UID 0 (root) or a security context with allowPrivilegeEscalation: true (true by default).

Affected versions:

kubelet v1.18.0-1.18.5
kubelet v1.17.0-1.17.8
kubelet < v1.16.13

Fixed versions:

AKS v1.15.11*, v1.15.12* .
AKS v1.16.10* and v1.16.13+
AKS v1.17.7* and v1.17.9+
AKS v1.18.6+

Maxime.

7 septembre 2020

AKS | Azure Kubernetes Service: Privilege escalation from compromised node to cluster (CVE-2020-8559)

Hi,

In this article I would like share with you a new vulnerability against Azure Kubernetes.

Title: Privilege escalation from compromised node to cluster

CVE: CVE-2020-8559

Description:

If an attacker is able to intercept certain requests to the Kubelet within Azure Kubernetes Service (AKS), they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes.

If multiple clusters share the same certificate authority trusted by the client, and the same authentication credentials, this vulnerability may allow an attacker to redirect the client to another cluster. In this configuration, this vulnerability should be considered High severity.

Note that this vulnerability requires an attacker to first compromise a node through separate means.

Affected versions:

AKS patches all GA kubernetes versions control plane components automatically.

kube-apiserver <v1.18.6
kube-apiserver <v1.17.7
kube-apiserver <v1.16.10
and all kube-apiserver versions prior to v1.15.11

Fixed versions:

kube-apiserver v1.18.6+
kube-apiserver v1.17.7+
kube-apiserver v1.16.10+

Maxime.

1 septembre 2020

AKS | Enable host-based encryption

Hi,

In this article I would like share with you how you can enable host-based encryption on AKS. This feature is still in preview.

With host-based encryption, the data stored on the VM host of your AKS agent nodes’ VMs is encrypted at rest and flows encrypted to the Storage service. This means the temp disks are encrypted at rest with platform-managed keys. The cache of OS and data disks is encrypted at rest with either platform-managed keys or customer-managed keys depending on the encryption type set on those disks.

# Requirements
az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"

az feature register --namespace "Microsoft.ContainerService" --name "EnableEncryptionAtHostPreview"

az feature list -o table --query "[?contains(name, 'Microsoft.Compute/EncryptionAtHost')].{Name:name,State:properties.state}"

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableEncryptionAtHostPreview')].{Name:name,State:properties.state}"

az provider register --namespace Microsoft.Compute

az provider register --namespace Microsoft.ContainerService

# Install the aks-preview extension
az extension add --name aks-preview

# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview

# Create a new cluster to use host-based encryption
az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --aks-custom-headers EnableEncryptionAtHost=true

# Update an existing cluster to use host-based encryption
az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --aks-custom-headers EnableEncryptionAtHost=true

Maxime.