Connect with us

Cars

​Kubernetes’ first major security hole discovered

Published

on

techrepublic


Kubernetes: The smart person’s guide

Kubernetes is a series of open source projects for automating the deployment, scaling, and management of containerized applications. Find out why the ecosystem matters, how to use it, and more.

Read More

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It’s a CVSS 9.8 critical security hole.

With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server’s Transport Layer Security (TLS) credentials.

Also: How to quickly install Kubernetes on Ubuntu TechRepublic

Can you say root? I knew you could.

Worse still, “In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.” So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

Oh, and for the final jolt of pain: “There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server.”

In other words, Red Hat said, “The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes pod. This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

Fortunately, there is a fix, but some of you aren’t going to like it. You must upgrade Kubernetes. Now. Specifically, there are patched version of Kubernetes v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1.

If you’re still using Kubernetes v1.0.x-1.9.x, stop. Update to a patched version. If for some reason you can’t move up, there are cures, but they’re almost worse than the disease. You must suspend use of aggregated API servers and remove pod exec/attach/portforward permissions from users that should not have full access to the kubelet API. Jordan Liggitt, the Google software engineer who fixed the bug, said these mitigations are likely to be disruptive. You think?

The only real fix is to upgrade Kubernetes.

Also: Kubernetes: The smart person’s guide TechRepublic

Any program, which includes Kubernetes, is vulnerable. Kubernetes distributors are already releasing fixes.

Red Hat reports all its “Kubernetes-based services and products — including Red Hat OpenShift Container Platform, Red Hat OpenShift Online, and Red Hat OpenShift Dedicated — are affected.” Red Hat has begun delivering patches and service updates to affected users.

As far as anyone knows, no one has used the security hole to attack anyone yet. Darren Shepard, chief architect and co-founder at Rancher Labs, discovered the bug and reported it using the Kubernetes vulnerability reporting process.

But — and it’s a big but — abusing the vulnerability would have left no obvious traces in the logs. And, now that news of the Kubernetes privilege escalation flaw is out, it’s only a matter of time until it’s abused.

So, once more and with feeling, upgrade your Kubernetes systems now before your company ends up in a world of trouble.

Related stories:

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Cars

The Easiest Way To Back Up Your Android Phone’s Data

Published

on

Google’s service for saving and restoring photos and videos is called “Backup & Sync.” It works across all platforms. But the tool is pre-integrated into the Google Photos app for Android.

  1. To create a backup for your photo and video gallery, download and install Google Photos from the Play Store (if you haven’t already).
  2. You’ll be asked to sign in with a Google Account of your choice.
  3. After signing in, tap your profile picture in the corner to pull up the preferences.
  4. Next, navigate to Photos Settings > Backup & Sync and toggle the switch.
  5. Backup & Sync will automatically start saving your photos and videos to the cloud. Once the process is completed successfully, you will see a green accent and a checkmark around your profile picture.

Unless you’re on a Pixel phone, the storage isn’t unlimited. From June 1, 2021, Google only offers 15GB of free storage. But you can always buy extra storage or adjust the upload size to save space. To change the Upload size, scroll down the Backup & Sync menu and select Upload size. And pick from Storage saver or Original quality modes (via Google).

Also, you can specify individual folders if you don’t need to back up your entire gallery. Go to Backup and Sync > backup device folders and toggle your chosen folders from the list.

Continue Reading

Cars

Why Your Android Phone Goes Straight To Voicemail And How To Fix It

Published

on

If you need periods blocked off in your day to focus or relax, the Do Not Disturb Mode is a handy feature to have. You can either block all phone calls or only accept calls or messages from the contacts you want to hear from. If this setting is enabled, it also blocks app notifications, text messages, and alarms. But what if you forget to turn it off? Or switch it on by accident? Depending on who calls, you probably won’t hear your phone ring, and their calls will most likely go to voicemail.

Here’s how you can turn it off in three simple steps.

  1. Swipe down from the top of your screen to pull down your phone’s notification menu.

  2. Check if the Do Not Disturb button is enabled at the bottom right.

  3. If it’s on (the button will be lit). Tap once to turn it off.

Another way to turn off the Do Not Disturb function is to go through the settings menu on your phone.

  1. Go to the Settings app on your phone

  2. Hit Sound & vibration > Do not disturb > Turn on/off now.

  3. If you own a phone that is Android 8.1 and below, press Sound > Do not disturb. Toggle the switch on/off

Continue Reading

Cars

The Galaxy Note Is Dead, But Its Spirit Will Live On Every Year

Published

on

According to notorious tipster @Ice universe, Samsung mobile division head TM Roh was quoted as saying that the Galaxy Note will appear in the form of the Galaxy S Ultra every year. The direct implication here is that there will no longer be a Galaxy Note model moving forward. It also suggests that the Galaxy S Ultra models will retain the same form and features as the Galaxy Note, just like the Galaxy S22 Ultra released in 2022.

In terms of features, that basically means that the Galaxy S Ultra model will continue carrying an S-Pen inside its body. That design change started with the Galaxy S22 Ultra this year, in contrast to the previous Galaxy S21 Ultra generation, which had no room for the stylus inside. That same ultra-large phone distinguished itself from the Galaxy S22 and Galaxy S22+ with its boxier design, similar to that of the latest Galaxy Note models. Whether that design will remain going forward is still unknown, but the exact appearance of the Galaxy Note was never its defining feature anyway.

This news, if confirmed to be official, will probably send mixed feelings to Galaxy Note fans. On the one hand, they will be relieved that the S Pen isn’t going anywhere, at least not yet. On the other hand, the brand beloved by professionals and creatives is finally being retired after almost a decade of service. The move will at least help consolidate Samsung’s Galaxy S brand and even make the S-Pen a staple of its flagship — and hopefully, it will at least stay that way for more years to come.

Continue Reading

Trending