Connect with us

Cars

​Kubernetes’ first major security hole discovered

Published

on

techrepublic


Kubernetes: The smart person’s guide

Kubernetes is a series of open source projects for automating the deployment, scaling, and management of containerized applications. Find out why the ecosystem matters, how to use it, and more.

Read More

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It’s a CVSS 9.8 critical security hole.

With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server’s Transport Layer Security (TLS) credentials.

Also: How to quickly install Kubernetes on Ubuntu TechRepublic

Can you say root? I knew you could.

Worse still, “In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.” So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

Oh, and for the final jolt of pain: “There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server.”

In other words, Red Hat said, “The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes pod. This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

Fortunately, there is a fix, but some of you aren’t going to like it. You must upgrade Kubernetes. Now. Specifically, there are patched version of Kubernetes v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1.

If you’re still using Kubernetes v1.0.x-1.9.x, stop. Update to a patched version. If for some reason you can’t move up, there are cures, but they’re almost worse than the disease. You must suspend use of aggregated API servers and remove pod exec/attach/portforward permissions from users that should not have full access to the kubelet API. Jordan Liggitt, the Google software engineer who fixed the bug, said these mitigations are likely to be disruptive. You think?

The only real fix is to upgrade Kubernetes.

Also: Kubernetes: The smart person’s guide TechRepublic

Any program, which includes Kubernetes, is vulnerable. Kubernetes distributors are already releasing fixes.

Red Hat reports all its “Kubernetes-based services and products — including Red Hat OpenShift Container Platform, Red Hat OpenShift Online, and Red Hat OpenShift Dedicated — are affected.” Red Hat has begun delivering patches and service updates to affected users.

As far as anyone knows, no one has used the security hole to attack anyone yet. Darren Shepard, chief architect and co-founder at Rancher Labs, discovered the bug and reported it using the Kubernetes vulnerability reporting process.

But — and it’s a big but — abusing the vulnerability would have left no obvious traces in the logs. And, now that news of the Kubernetes privilege escalation flaw is out, it’s only a matter of time until it’s abused.

So, once more and with feeling, upgrade your Kubernetes systems now before your company ends up in a world of trouble.

Related stories:

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Cars

The 12 Cheapest Productions Cars Ever Made

Published

on

Nobody said that a cheap car must be a terrible one, and the Volkswagen Type 1 Beetle is proof. Created before WWII and put into production under British management after the war, the VW Beetle went on to be one of the best-selling cars of all time, according to Autoweek. They are basic, small, and austere, but dependable, capable, and enjoyable cars to many.

The genesis of the car was in the idea of producing a “people’s car” for the German public, something the average German could afford to buy and use on the newly laid Autobahn highways. With plans interrupted by the war, German industry had been decimated and also needed economic activity to rebuild. Volkswagen commenced production to get its people behind the wheel, but also exported the cars to increase much-needed trade, and it became a success (via Hemmings).

In developed markets where the VW sold, it was often the cheapest car available. Thanks to its simple design and robust engine, people took millions of them home, even creating subcultures of fanatical drivers, and it continued to be made in 2003 in Mexico.

Continue Reading

Cars

Elon Musk Made This Video Game When He Was 12 Years Old. Here’s How You Can Play It

Published

on

In 1995, Musk was on his second day at Stanford University when he and his brother abruptly dropped out, dove into Silicon Valley’s emerging Internet boom, and started Zip2. This company provided city travel guide information to prominent online newspapers. Four years later, Compaq Computer Corporation bought that company for $307 million in cold hard cash and another $34 million worth of stock options (via Biography).

He immediately took that money and co-founded the online bank X.com, which later consolidated with Confinity to become PayPal (via Business Insider). In 2002, eBay bought PayPal for $1.5 billion. Musk pocketed around $175 million from that venture, turned around, and created SpaceX. See the pattern?

Musk was born in Pretoria, South Africa, in 1971. When he was young, his parents feared that he had a hearing problem (via Biography), but it wasn’t that he was intentionally ignoring them. Instead, he was getting so utterly wrapped up and focused on his own thoughts that he wasn’t aware they were calling out to him. He was later diagnosed with the autism spectrum disorder known as Asperger’s syndrome. Symptoms include not responding to their name and obsessive interest in certain subjects, both of which were present in Musk.

In 1979, when Elon was around eight years old, his parents divorced. He and his siblings went to live with his mother because, according to Musk, his father was a “terrible human being.” However, he also calls his dad a “brilliant engineer,” and believes he got his computer and engineering skills from him.

Continue Reading

Cars

The Best Cyber Monday Laptop Deals 2022

Published

on

The ASUS TUF Gaming F15 laptop was awarded as one of our preferred affordable gaming laptops of 2022, and Cyber Monday deals from Best Buy slash the price even further. Through the online retailer, this ASUS model falls from $1,079.99 to $699.99. Something about the removal of the comma makes anything seem like a much more reasonable investment! Another ASUS deal at Best Buy brings us the ROG Zephyrus 144Hz 14-inch gaming laptop with 16 gigabytes of RAM and an NVIDIA GeForce RTX 3060 graphics chip for $500 off — that’s $899.99 rather than $1,399.99.

Directly through Lenovo, there are a few some impressive laptop deals. You can save a whopping $2,010.00 on the ThinkPad T14s Gen 2 14-inch in storm gray color for a grand total of $849. There’s over $2,200 to be saved on the same model,  but in black. Lenovo’s ThinkPad X1 Yoga Gen 6 14-inch is 65% off — that pitches the price by $2,350.00 to $1,259.00.

Target’s only Cyber Monday specific deal is for the HP Victus 15.6-inch 144Hz gaming laptop, which was originally listed for $829.99 but has fallen to $589.99. That’s another gaming laptop that earned a spot on our best affordable gaming laptop rank. However, there are a number of unspecified sales and clearance deals that slash laptop prices by as much as $500 at Target, such as the Acer Aspire 3 15.6-inch laptop with 8 gigabytes of RAM for $249.99. 

Continue Reading

Trending