Security researchers with Palo Alto Networks shed new light on the ways attackers target Kubernetes containers.
At Black Hat USA 2022 in Las Vegas on Thursday, security researchers Yuval Avrahami and Shaul Ben Hai covered some of the common techniques and vulnerabilities that allow attackers to escape the confines containers and access other instances on the host server.
The researchers explained how everything from misconfigurations to excessive permissions allow an attacker to gain access to both the host machine and other container pods with administrator privileges.
"Ever since containers came into our lives, we have been hearing more about container escapes in the sense of a vulnerability," Ben Hai said. "There is no doubt that containers are great for packaging and deploying software, but they are a weak security boundary."
Part of the problem, they said, is the way container pods are often set up on the host server -- in particular, the use of what the researchers called "trampoline pods" that operate libraries and APIs with system administrator clearance.
Shaul Ben HaiSecurity researcher, Palo Alto Networks
Should the attacker escape the confines of their initial container and pod via a known vulnerability or another method, they could gain access to one of the trampoline pods that would allow for an elevation of privilege and the ability to execute code and commands with administrator clearance.
Another issue is the way vital libraries and components are configured when installed in containers. If configured as a DaemonSet, a pod can be accessed by all containers on a server and, if compromised, could be used to access those nodes and take them over.
This creates a sort of "security blind spot" for container hosts where a single misconfiguration can lead to a complete takeover, they said.
"Root users can escape and take over a host. That is because the Linux attack surface is too big," Ben Hai said. "An attacker might or might not have a way to get powerful permissions, but at least they have a chance."
The motivations for an attack on a cluster and a server can range from turning pods into cryptocoin miners to stealing sensitive data such as database contents and developer source code.
To prevent such attacks and compromises, the researchers recommend administrators keep a close eye on the way container pods are configured and, if possible, limit access to the possible trampoline pods and the access to vital APIs and tools within them.