Cars

Kubernetes’ first major security hole discovered

Published

4 years ago

December 6, 2018

Francisco Peguero

techrepublic

Kubernetes: The smart person’s guide

Kubernetes is a series of open source projects for automating the deployment, scaling, and management of containerized applications. Find out why the ecosystem matters, how to use it, and more.

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It’s a CVSS 9.8 critical security hole.

With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server’s Transport Layer Security (TLS) credentials.

Also: How to quickly install Kubernetes on Ubuntu TechRepublic

Can you say root? I knew you could.

Worse still, “In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation.” So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

Oh, and for the final jolt of pain: “There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server.”

In other words, Red Hat said, “The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes pod. This is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

Fortunately, there is a fix, but some of you aren’t going to like it. You must upgrade Kubernetes. Now. Specifically, there are patched version of Kubernetes v1.10.11, v1.11.5, v1.12.3, and v1.13.0-rc.1.

If you’re still using Kubernetes v1.0.x-1.9.x, stop. Update to a patched version. If for some reason you can’t move up, there are cures, but they’re almost worse than the disease. You must suspend use of aggregated API servers and remove pod exec/attach/portforward permissions from users that should not have full access to the kubelet API. Jordan Liggitt, the Google software engineer who fixed the bug, said these mitigations are likely to be disruptive. You think?

The only real fix is to upgrade Kubernetes.

Also: Kubernetes: The smart person’s guide TechRepublic

Any program, which includes Kubernetes, is vulnerable. Kubernetes distributors are already releasing fixes.

Red Hat reports all its “Kubernetes-based services and products — including Red Hat OpenShift Container Platform, Red Hat OpenShift Online, and Red Hat OpenShift Dedicated — are affected.” Red Hat has begun delivering patches and service updates to affected users.

As far as anyone knows, no one has used the security hole to attack anyone yet. Darren Shepard, chief architect and co-founder at Rancher Labs, discovered the bug and reported it using the Kubernetes vulnerability reporting process.

But — and it’s a big but — abusing the vulnerability would have left no obvious traces in the logs. And, now that news of the Kubernetes privilege escalation flaw is out, it’s only a matter of time until it’s abused.

So, once more and with feeling, upgrade your Kubernetes systems now before your company ends up in a world of trouble.

Cars

Zoom Just Added New AI-Powered Features, Here’s What They Do

Published

49 mins ago

March 27, 2023

Francisco Peguero

Zoom is also adding an AI-assisted auto-framing system called Intelligent Director to its Zoom Room system. This one relies on a multi-camera setup and picks up the best camera angle to depict a person in a video conference. The company says it paves the way for a “more equitable meeting experience for remote and in-person attendees.” Interestingly, Zoom is borrowing the idea of huddles from Slack, which itself introduced video chats to huddles last year that look a lot like Zoom. Introduced earlier today, Zoom Huddles is a video-centric virtual coworking space with a healthy bunch of collaboration features.

Zoom also wants to offer its very own email inbox and calendar so that users don’t have to jump between the video calling platform and other apps. The result of those ambitions is Zoom Mail, which is now available to all users as a client that can be connected to your existing Gmail or Microsoft inbox. Additionally, if you want Zoom’s very own email service, the company is also offering something called Zoom Mail Service with its very own hosting, but it is limited to paid customers only. Then there’s Zoom Calendar, which lives in the main sidebar and aims to replace rivals from Microsoft and Google that are currently a part of your workflow.

Cars

How To Schedule Or Automate iPhone’s Always-On Display

Published

2 hours ago

March 27, 2023

Francisco Peguero

mokjc/Shutterstock

Apple’s iPhone 14 Pro and iPhone 14 Pro Max are the first iPhones with an always-on display. The setting is enabled by default in currently-available iOS builds, but you cannot schedule or automate iPhone’s always-on display. That changes with the latest iOS 16.4 beta, adding an option to automate the feature.

That sounds exciting, but here’s a caveat. Since iOS 16.4 is available as a release candidate to registered developers or public testers, you might find getting your hands on it challenging. Even if you decide to download it to automate your iPhone’s always-on display, you might experience some performance issues or bugs, ranging from worse battery life to iOS crashes.

Nevertheless, if you’re sure about trying the new features, head to the Apple Beta Software Program page and follow the instructions to install the latest iOS 16.4 beta, which has a new feature to schedule always-on display on the iPhones.

Automate always-on display using Focus Filters

boyudon/Shutterstock

Two ways to automate iPhone 14 Pro’s always-on display in iOS 16.4 are via Focus Filters and Shortcuts. First, let’s discuss the steps in enabling the feature via Focus Filters.

First, head to the Settings app on your iPhone and tap Focus.
Create a new Focus by pressing the plus icon in the top right corner. Select Custom from the available options and name the Focus mode. Tap on Customize Focus and head to the next screen.
Swipe down and select Add Filter under Focus Filters.
Under System Filters, select Always On Display. Ensure the Filter is enabled and tap Add in the top right corner.
Now, under Set A Schedule, do one of the following things.
1. Enable Smart Activation, which applies the Focus Filter at relevant times of the day based on your app usage, location, and other metrics.
2. Select Add Schedule and set when you want the Focus Filter to be active, enabling the always-on display.

You’ve successfully linked the always-on display to the Focus mode, which will now be active during the schedule you set.

Set up a Shortcut to activate always-on display

Primakov/Shutterstock

You can also connect your iPhone’s always-on display to a Shortcut.

Head to the Shortcuts app and press the plus icon in the top right corner.
Select Add Action and locate and select the Set Always On Display option through the search bar at the top.
By default, the Turn and On buttons activate the always-on display when you access the Shortcut.
Tap Done in the top right corner.
Accessing this Shortcut will trigger the always-on display.

Now that you know how to schedule or automate always-on display on your iPhone, here are a few things to remember. Currently, the feature is only available in iOS 16.4 beta, so regular users can’t access the feature. Although Apple is expected to release iOS 16.4 as a stable build for everyone soon, we can’t give an exact date. Second, using the always-on display might deplete your iPhone’s battery faster than usual, which is normal.

Cars

Revamped Microsoft Teams App For Windows Is Leaner, Sleeker

Published

3 hours ago

March 27, 2023

Francisco Peguero

Aside from the sluggish performance, older versions of Microsoft Teams have also received criticism for their rather bland, unimpressive looks. Thanks to a major design revamp, Microsoft is changing all that. The new look — besides being pleasing to the eyes — has been infused with several intuitive elements that were missing in the older version. Some of the significant changes include the simplification of the navigation and settings menu, and the ability to customize the interface with new themes, colors, and backgrounds.

Microsoft

The new Microsoft Teams app borrows a lot of design cues from Windows 11, a move intended to make it feel like a native Windows app. The infamous purple color generally associated with Teams is less prominent now. Microsoft has improved the visual experience of group chats thanks to the newly added group profile pics and group theming options.

One of the major pain points of using Microsoft Teams was its inability to stay logged into multiple workspaces or accounts. The newest version of Teams fixes that. This ensures that users can stay logged into multiple workspaces simultaneously. More importantly, they will continue to receive notifications from all the spaces they are part of. These new features align with Microsoft’s efforts to enhance Team’s collaboration features.