A riddle, wrapped inside an enigma, inside a container
Security researchers earned bug bounties from both Kubernetes and Microsoft after uncovering vulnerabilities in versions of the container technology that were hosted on Microsoft Azure.
The duo developed the attack after setting out to prepare a talk on Kubernetes security in a managed service environment.
The flaw (CVE-2020-8555) related to the dynamic volume provisioning technology that comes bundled with Kubernetes, and more specifically the in-core provisioning mechanism.
By messing with the provisioning process, the researchers were able to access the cloud provider’s internal resources.
This opened the gateway to various exploits, such as dumping internal credentials/privilege escalation.
“The root cause (in this case a server-side request forgery) helped us escape our customer environment on multiple providers offering [Kubernetes’] managed service,” the researchers explain in a technical blog post.
The security pros reported the vulnerabilities to Microsoft in December and Kubernetes in January.
Bug bounties were received from both organizations before disclosure of the flaw, which was initially planned in March but was postponed due to the coronavirus pandemic.
Commenting on the research, Augras told The Daily Swig: “This was a really crazy experience; we didn't expect a such great feedback from the community! Stay tuned for more content as we're hardly working on managed service applications with an implementation similar to Kubernetes.”
This story has been updated to add comment from the researchers