Breaking & Pwning Docker Containers & Kubernetes Clusters - All Day DevOps 2019

Transcript

1. NOVEMBER 6, 2019 by Madhu Akula Breaking & Pwning Docker

   Containers & Kubernetes Clusters

2. About - Madhu Akula • Security Automation Engineer at Appsecco

   • Passionate about (Cloud, Containers and Kubernetes) security • Speaker & Trainer @ BlackHat, DEF CON, USENIX LISA, OWASP Appsec EU, All Day DevOps, DevSecCon, Nullcon, null, etc. • Co-author of Security Automation with Ansible2 book • Discovered vulnerabilities in over 200+ organisations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP and Adobe, etc. • Holds industry certifications like OSCP and CKA • Never Ending Learner!

3. Next 30 minutes, I will talk about • It’s not

   about what is Docker, Kubernetes, etc. • Why container infrastructure security is important • What are the common tools, techniques and procedures for testing • Highlights of different real world attacks mapping with vulnerabilities • Showcase common mistakes and misconfigurations • Case studies and reference resources • Next steps for learning more and more

4. Would you like to learn Docker & Kubernetes? • https://docs.docker.com

   • https://kubernetes.io/docs/home • https://training.play-with-docker.com • https://labs.play-with-k8s.com • https://training.play-with-kubernetes.com • https://www.katacoda.com/learn • Many more...

5. Why Container Infrastructure Security? https://blog.madhuakula.com/some-tips-to-review-docker-hub-hack-of-190k-accounts-addcd602aade

6. Why Container Infrastructure Security? https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

7. Why Container Infrastructure Security? https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

8. Why Container Infrastructure Security? https://hackerone.com/reports/341876

9. Why Container Infrastructure Security? Many other vulnerabilities and real world

   impacts...

10. amicontained - Container Introspection Tool https://github.com/genuinetools/amicontained It helps to find

    out what container runtime is being used as well as features available like capabilities, profiles applied, etc.

11. trufflehog - Hardcoded sensitive information • Commiting the sensitive information

    to version control systems • Not including the sensitive files in the build process using .dockerignore file • This is one of the common mistake in modern era

12. Insecurely configured docker service

13. Insecure docker socket service

14. Analysing or Understanding unknown image

15. dive - Exploring each layer in a docker image https://github.com/wagoodman/dive

16. Inspecting container volumes

17. Volume analysis for sensitive information

18. Inspecting container networking

19. Always look for env variables • This is one of

    the common places most developers and operations teams store secrets, API keys, etc. • Also it contains other information like different service or cluster related information

20. docker diff - comparing with base image

21. container escape - extra capability and host pid

22. container escape - extra capability and host pid

23. Kubernetes secrets are not encrypted!

24. Default service account in a Pod

25. Default service account in a Pod https://hackernoon.com/capturing-all-the-flags-in-bsidessf-ctf-by-pwning-our-infrastructure-3570b99b4dd0

26. SSRF in the kubernetes world like a Cluster Pwn •

    In the Google Cloud (GCP), we have to use Metadata-Flavor: Google to obtain the metadata • Now GKE offers to protect kube-env using metadata concealment proxy and workload identity

27. SSRF in the kubernetes world like a Cluster Pwn

28. Command Injection to node access (host)

29. Command Injection to node access (host)

30. Command Injection to node access (host)

31. No default security boundary in k8s namespaces

32. Default misconfigured Helm Tiller = Cluster Pwn https://engineering.bitnami.com/articles/helm-security.html

33. Default misconfigured Helm Tiller = Cluster Pwn

34. Trivy - Vulnerability Scanner for Containers https://github.com/aquasecurity/trivy

35. dockle - Container Image Linter for Security https://github.com/goodwithtech/dockle

36. docker-bench-security https://github.com/docker/docker-bench-security • A script that checks for dozens of

    common best-practices around deploying Docker containers in production ◦ Host configuration ◦ Docker daemon configuration and files ◦ Docker container images ◦ Docker runtime ◦ Docker security operations ◦ Docker swarm configuration

37. kube-bench - CIS Kubernetes Benchmark https://github.com/aquasecurity/kube-bench • Master Node Security

    Configuration ◦ API Server ◦ Scheduler ◦ Controller Manager ◦ Configuration Files ◦ etcd ◦ General Security Primitives ◦ PodSecurityPolicices • Worker Node Security Configuration ◦ Kubelet ◦ Configuration Files

38. kube-hunter • Kube-hunter hunts for security weaknesses in Kubernetes clusters.

    The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster you don't own!

39. kubesec.io - Risk analysis for k8s resources https://kubesec.io/

40. kubeaudit - Audit your kubernetes clusters https://github.com/Shopify/kubeaudit

41. CVE-2018-1002105 https://www.youtube.com/watch?v=4CTK2aUXTHo

42. https://www.youtube.com/watch?v=4CTK2aUXTHo CVE-2018-1002105

43. https://github.com/Frichetten/CVE-2019-5736-PoC • This is a Go implementation of CVE-2019-5736, a

    container escape for Docker. The exploit works by overwriting and executing the host systems runc binary from within the container CVE-2019-5736

44. https://github.com/eoftedal/writings/blob/master/published/CVE-2019-9901-path-traversal.md CVE-2019-9901 - Istio/Envoy Path traversal

45. docker logs and events

46. Kubernetes centralised logs in stack driver

47. Want to explore more? • contained.af • Docker Security •

    CIS Benchmarks Docker • Understanding and Hardening Linux Containers • Abusing Privileged and Unprivileged Linux Containers • Container Security Notes • Linux Container Security • Docker Runtime Privileges and Capabilities • Apparmor Security Profiles on Docker • Seccomp Security Profiles on Docker • Docker Labs Capabilities • Practical SELinux and Containers • Container Security Notes gist • Containers and Operating systems morning paper gist • Kubernetes Security Info • Kubernetes Webinar series • Kubernetes Network Policies
48. None

49. Thank You Madhu Akula @madhuakula https://appsecco.com