BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Exploit K8S via Misconfiguration .YAML in CSP enviro nments\n When: Friday\, Aug 9\, 13:25 - 13:59 PDT\n Where: LVCC West/F loor 1/Hall 2/HW2-09-01 - [1]Map\n\n Description:\n\n In this presenta tion\, we researched vulnerable security configurations\n that enable at tacks on Kubernetes (K8s) clusters and examined how\n these settings can be exploited in CNCF projects. Kubernetes (K8s)\n uses YAML files to ma nage various security settings\, leading to\n potential attacks such as information leakage\, excessive permission\n acquisition\, and container escape.\n\n Initially\, this study focused on three security configurat ion areas in\n K8s: RBAC\, HostPID\, and Security Context. We explained the threats\n present if vulnerable settings are included.\n\n - RBAC: Excessive permission in K8s resources allows sensitive information theft or access to other nodes\n - HostPID: Access to node process information enables container escape attacks\n - Security Context: Incorrect securi ty settings enable node escape and host access \n\n Next\, we created patterns for identifying weak security settings\n through YAML files. To do this\, we conducted a literature review and\n expanded the vulnerabl e patterns centered on RBAC proposed in various\n papers. Additionally\, we included other security settings (HostPID\,\n Security Context). [Ou r Pattern vs Paper Pattern]\n\n 1. RBAC:\n - Our: Daemonset\, Depl oyment SA > node Patch and Secret Get/List\n - Paper: Daemonset > no de Patch and Secret Get/List\n 2. Kind:\n Our: Cluster Role\, Role \, Role Binding\n Paper: Cluster Role\n 3. Other Security configur ations:\n - Our: HostPID\, SecurityContext\n - Paper: X \n\n Utilizing these patterns\, we examined over 150 widely-used 3rd-party\n CNCF projects in K8s\, discovering more than 50 instances of vulnerable \n patterns. We provide detailed demonstrations of three scenarios for\n seizing nodes or clusters by using the discovered patterns to set Base\ n Attack conditions.\n\n [Base Attack Conditions]\n\n - RBAC > Demon set / Deployment > Service Account > Secret (Get/List) or Node(Patch)\n [Exploit Scenario]\n - Stealing Tokens using Pods with excessive privile ges\n - Node Take over via 1 Day (CVE-2022-42889) or hostPID: True or Se curity Context\n - Take over of another node or cluster using the Servic e Account Token on the deodorized node \n\n Additionally\, we are awa re that 3rd-Party CNCF projects are widely\n used for convenience when o perating K8S in CSPs (AWS\, Azure\, GCP).\n Since scenarios can occur in a CSP environment\, we demonstrate in more\n detail. Finally\, based on these research results\, we share vulnerable\n patterns with project ow ners to collaborate on patching and issue\n tracking. Before the present ation\, we plan to share any reporting on\n CVEs and patch notes.\n\n Speakers:Wooseok Kim\,Changhyun Park\n\n SpeakerBio: Wooseok Kim\n\n Wooseok Kim - Goorm | Site Reliability Engineer | K8S\, CSP | SKKU\n\n S peakerBio: Changhyun Park\n\n Changhyun Park - MatchGroup | Hyperconnec t | Security Compliance\n Analyst | Cloud\, GRC | SKKU\n\n '\n\n 1. #LVCCW_Level1_Hall2\n\n\n DTEND:20240809T205900Z DTSTART:20240809T202500Z LOCATION:CLV - LVCC West/Floor 1/Hall 2/HW2-09-01 SUMMARY:Exploit K8S via Misconfiguration .YAML in CSP environments END:VEVENT END:VCALENDAR