Free-to-use utility scans cloud environments for risky containers

Cluster administrators who orchestrate containerized environments with Kubernetes can shrink their attack surface courtesy of an open source tool by the name of KubiScan.

On the opening morning of Black Hat 2020’s virtual Arsenal program, security researcher Eviatar Gerzi explained how KubiScan trawls Kubernetes environments for risky permissions that attackers could potentially exploit to compromise the clusters.

Ensuring that software and its dependencies transition seamlessly between computing environments, containers have become invaluable in the pursuit of agile software development.

And according to cloud monitoring service Datadog, around 45% of its customers running containers used Kubernetes as of 2019.

But Google-founded Kubernetes, which is now maintained by the Cloud Native Computing Foundation, uses role-based access control authorization that is potentially susceptible to manipulation.

“KubiScan provides a quick review of the containers that are either risky or contain sensitive data,” Gerzi, who works for CyberArk Labs, told The Daily Swig in advance of his presentation on the Open Source Intelligence track.

This gives administrators the visibility of potential risks they need to mitigate them.

The bigger they come

The larger the environment, the more compelling KubiScan becomes, said Gerzi.

“Some of them will need to manage large environments with more than a thousand containers and it’s easy to lose control of each one,” he explained. “Tools like KubiScan provide a good picture of the particular containers that are the most vulnerable.

“KubiScan shows you where attackers will try to exploit in their first connection to a container,” Gerzi added. “With this information, you can significantly reduce the attack surface.”


RELATED Cloud security: Microsoft launches ATT&CK-inspired matrix for Kubernetes


KubiScan can scan for pods that contain privileged service account tokens, which can be abused to launch privilege escalation attacks or to compromise the cluster.

“These tokens are usually mounted to a default location inside the container,” said Gerzi, who also specializes in finding Docker vulnerabilities.

“An attacker that finds these tokens can check its permissions, and if it has privileged permissions it can be used for lateral movement in the cluster.”

In June, The Daily Swig reported that a pair of French researchers earned bug bounties after launching a server-side request forgery (SSRF) attack against a Microsoft Azure-hosted Kubernetes environment, resulting in privilege escalation.

Darren Shepherd, CTO of Rancher Labs, also discovered a privilege escalation vulnerability in Kubernetes in 2018 – the first critical flaw ever found on the platform.

Filtering results

Whether you’re searching for privileged users, roles or pods, Gerzi warned that KubiScan scans can sometimes generate an unwieldy volume of results.

“But by using the filter switches (i.e. by namespace) or customizing the default risky_roles.yaml file for more specific rules, you can remove the overhead of too many results,” he said.

Read more of the latest news from Black Hat USA 2020

Users can filter results with the namespace switch, -ns <namespace>. If results come with the priority column, these can be filtered by -p <priority>.

Full details can be found on the KubiScan GitHub repository.

Example scenario

Eviatar Gerzi recalls “one customer engagement” where he scanned for volume-mounted secrets.

“One container had a volume to a file called ‘kubeconfig’”, indicating that credentials were present.

“I checked the file and it was related to a privileged user that could list all the secrets in the namespace it was running on.”

In such a scenario, the researcher recommends “removing the unnecessary permissions, moving to other namespace if possible or use ‘get->secrets’ permissions for a specific hardcoded name instead of ‘list->secrets’ that can show you all the secrets.”

Gerzi also explored how KubiScan can remedy permissions-based threats in Kubernetes in a 2018 blog post.


YOU MIGHT ALSO LIKE Kubernetes security flaw also earns bug bounty from Microsoft