Comparing the Leading Tools That Scan Against the CIS Kubernetes Benchmark Framework
CIS Benchmarks are a focused set of guidelines for the secure configuration, vulnerability detection, and...
Nov 23, 2022
UPDATE: Our “2023 Kubernetes Vulnerabilities Roundup” is available here
All the main K8s vulnerabilities from 2022 consolidated into one article. Put together by Ben Hirschberg, CTO & co-founder of ARMO, the makers of Kubescape.
During 2022, Kubernetes continued to cement itself as a critical infrastructure component in the modern software stack. From small to large organizations, it has become a widely popular choice. For obvious reasons, this shift made Kubernetes more susceptible to attacks. But this is not the end of it. Keep in mind that developers typically use a Kubernetes deployment with other cloud-native components to make a working system. Unfortunately, this fusion results in a more complex infrastructure with more components. That ultimately increases the surface and scope vulnerable to attacks.
According to Red Hat’s “2022 state of Kubernetes security report”, 93% of those surveyed last year reported at least one incident impacting a Kubernetes environment. Out of the total security incidents reported, 53% were due to misconfigurations, and 38% were due to the exploitation of vulnerabilities. The trend shows an increase in vulnerabilities mainly due to an increasing attack surface area and complexity in vulnerability management. Understandably, this is a concern for the entire industry.
In this article, we discuss 2022 Kubernetes vulnerabilities and what we can learn from them. To make sure we’re all on the same page, let’s define vulnerability. To do so, let’s examine the standard definition from NIST SP 800-53: “A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system(s) security policy.”
There are various trusted data sources responsible for identifying, collecting, and publishing vulnerabilities in the public domain. The main ones are NVD (National Vulnerability Database) CVE database, GitHub security advisories, Exploit-DB, vendor notifications, and official project announcements.
Here is the list of sources to look for Kubernetes vulnerabilities:
This vulnerability occurs when legitimate users or clients are unable to access the service or system due to the actions of a malicious threat actor. For example, let’s say someone is querying your Kubernetes API server concurrently with numerous requests; the API server might then become unresponsive to other legitimate requests.
Certain system weaknesses allow an attacker to gain unauthorized access inside the security perimeter. In Kubernetes, container escape is a common weakness, and when exploited, a hacker can gain access to the host with elevated privileges.
This is a broader term for a type of vulnerability that includes authentication bypass, execution code bypass, permission bypass, etc.
Often, a buffer overflow can happen due to bugs in the code such as poor handling of out-of-bounds memory buffers. It allows malicious actors to access the memory of other co-hosted processes and leak unwanted information.
Here, an attacker exploits a flaw in the code and uses it to execute arbitrary malignant code, often to gain elevated access, network access, or control of the host system.
With this vulnerability, a hacker can take advantage of a weakness in the code to traverse arbitrary files and directories on the host system or network.
This vulnerability in CRI-O, a container runtime used by Kubernetes, was disclosed by CrowdStrike security researchers earlier this year with a CVE score of 9.0 (critical). It lets a malicious actor with access create a pod in a Kubernetes cluster to set arbitrary kernel parameters on the host by abusing the kernel.core_pattern parameter. This vulnerability allows hackers to escape from the Kubernetes container and gain root access to the host, potentially enabling them to deploy malware, exfiltrate data, and achieve lateral movement in the cluster.
This is again a vulnerability in the CRI-O container runtime that causes memory or disk space exhaustion on the node, thus impacting system availability. It was given a CVE score of 7.5 (high). Whoever has access to Kubernetes API can invoke execSync, which runs a command or gets the log from the container synchronously. If the output of the command is very large, it may fill up the memory or disk and cause unavailability of the node or other co-hosted services.
CVE-2022-31030 is also similar to CVE-2022-1708, but CVE-2022-31030 is due to the containerd container runtime instead of CRI-O.
This critical vulnerability with the highest score of 10.0 created panic for users of ArgoCD, a popular GitOps continuous delivery tool that is used to deploy applications on Kubernetes clusters. The vulnerability allows unauthenticated users to gain anonymous access, enabling them to impersonate any other user including admins by sending a specifically crafted JSON Web Token (JWT).
The exploitation was easy, as the attacker didn’t need any account in ArgoCD. By default, ArgoCD service accounts get a cluster-admin role, thus giving the attacker full access to the Kubernetes cluster.
Another critical vulnerability in the ArgoCD project discovered at the start of the year, this one, if exploited, can leak sensitive information such as application credentials, API keys, and secrets from other applications. This 0-day vulnerability lets malicious actors bypass the directory traversal checks and gain access to other confidential information stored in ArgoCD. We have previously discussed this vulnerability in detail.
This vulnerability is found in the containerd versions 1.6.1, 1.5.10, and 1.14.12 and allows attackers to read the arbitrary host file. Thus, an attacker can read confidential files such as kubelet private keys and can access the Kubernetes API server/etcd database to exfiltrate information.
A heap-based buffer overflow flaw in the File Context API in Linux can lead to out-of-bounds writes. A malicious actor with local access can then cause a denial of service attack or run arbitrary code on the host. To detect this vulnerability exposure in Kubernetes, you would need to find the pods with CAP_SYS_ADMIN capabilities. Learn more about CVE-2022-0185 here.
Grafana Labs published a security advisory for a new critical vulnerability in its open-source product. The vulnerability, marked as CVE-2022-39328, enables attackers to bypass authorization on arbitrary service endpoints. This is a critical vulnerability which bypasses authentication. The fact that Grafana is used by ~50% of Kubernetes users in production makes this CVE especially worth noting.
Security researchers at ARMO have found a high-severity vulnerability in the Kyverno admission controller container image signature verification mechanism. The vulnerability enables an attacker who is either running a malicious container image registry or is able to act as a proxy between the registry and Kyverno, to inject unsigned images into the protected cluster, bypassing the image verification policy. The vulnerability was introduced in version 1.8.3 and was fixed in version 1.8.5. We recommend all Kyverno users update as soon as possible.
curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash kubescape scan control C-0091
Below are some of the key takeaways from the vulnerabilities discussed.
Container escape is one of the most frequently exploited vulnerabilities in Kubernetes. Implementing security profiles such as AppArmor and SELinux, as well as pod security standards in your Kubernetes deployment can reduce exposure to attacks. You can also look into some guidance we shared earlier this year on how to secure a Kubernetes deployment.
Follow the principle of least privilege when assigning roles and privileges to your service accounts and users. This reduces the chance of an attacker getting excessive privileges on the cluster even if they have infiltrated it. Utilize the RBAC visualizer in the Kubescape portal to detect roles and actors with unnecessary permissions.
Use the defense in-depth technique to make it tougher for malicious actors to achieve lateral movement and exfiltrate data.
It is advisable to take frequent and continuous scans of your K8s manifest files, code repositories, and clusters to find vulnerabilities. Open-source solutions such as Kubescape have controls to detect critical vulnerabilities.
Figure 2. Kubescape configuration scanning controls for CVEs
Establish a process to update the software packages on your Kubernetes clusters regularly. After disclosure of vulnerabilities, hackers try to exploit targets that are not patched almost immediately. One such example was the Log4J vulnerability, which was exploited 840,000 times in the first 72 hours.
Use container sandbox projects such as gVisor that can strengthen container boundaries and protect against container escape and privilege escalation by providing strong isolation in a multi-tenant system.
It is not always possible to completely avoid a vulnerability. This is due to software bugs and unidentified weaknesses in the code that have passed through the testing and review process.
But, what we can do is follow best practices to secure the platform and the software deployed on it to reduce the impact. We can also be more proactive in applying fixes by setting robust continuous deployment processes to patch vulnerabilities and using tools like ARMO’s Kubescape to align with best practices.
Kubescape scans your clusters to detect vulnerabilities and unearth security issues before attackers exploit them. Book a demo today and keep your 2023 more secure.
The only runtime-driven, open-source first, cloud security platform:
Continuously minimizes cloud attack surface
Secures your registries, clusters and images
Protects your on-prem and cloud workloads
CIS Benchmarks are a focused set of guidelines for the secure configuration, vulnerability detection, and...
Originally appeared on The New Stack. More and more organizations rely on Kubernetes to deploy and manage...
The dynamic world of Kubernetes and cloud security is constantly evolving. As we explore this...