Weekly news that ended focusing on containers, with exposed secrets in public repos and the 2nd proof of a working exploit on eBPF

Exposed Kubernetes secrets

Aquasec Nautilus team released a new great research on Kubernetes secrets. They analyzed Github repositories and found 438 records with potentially valid credentials. After testing them, 206 (46%) records contained valid credentials ! They highlight 3 interesting findings: “SAP SE artifacts repository”, “registries of two top tier blockchain companies” and “94 Docker Hub credentials” with 64 still valid.

These exposures of Kubernetes secrets (in .dockerconfigjson and .dockercfgis mostly, which are encoded and not encrypted) is very sensitive because it allows attackers to gain access to an organization's software develpement systems, from source code to production systems. Attackers could prepare a supply chain attack by compromising infrastructure and injecting malicious code into software dependencies, used by downstream consumers (for Docker Hub, credentials were associated with 2,948 unique images and totalled to 46 millions pulls…).

One of the surprising findings is also the shortcoming of secret scanners… They evaluated Gitleaks, TruffleHog, and Trivy: none of them were able to detect this kind of secrets by default, they presume “that scanners are not configured to detect base64 encoded secrets”. A custom rule in Trivy allowed them to fix this issue: https://gist.github.com/yakirk/f0d5a4cb3893914f956336a9edd32cfe

They identified some best practices in their research:

• GCP and AWS’s expiration date on keys
• Encrypting data
• Least privilege’s philosophy
• For human users use two factor authentication

The recommended mitigations are not new but still worth remembering (and applying):

• Remove sensitive information from public repositories (Kubernetes reference: https://kubernetes.io/docs/concepts/configuration/secret/)
• Manage your secret with a dedicated tool and run secret scanners with custom rules
• Use environment variables to pass secrets
• Encrypt the data at rest
• Audit and Rotate Secrets

Have fun securing secrets in your Kubernetes environment !

📰 https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-kubernetes-secrets

eBPF used to escalate privileges: "Elevator"

Lumen’s Black Lotus Labs team has uncovered an old (submitted in December 2018) piece of malware, most probably exploiting CVE-2018-18445. This 2 stage malware compromises the extended Berkeley Packet Filter (eBPF) functionality in the Linux kernel to escalate its privileges in container-based operating systems, run discovery commands and start a reverse shell. Black Lotus Labs states “This is only the second instance of publicly reported in-the wild exploitation of container systems that we have discovered after Palo Alto’s report on SiloScape”. Kudos.

More than 10 CVEs are already published for eBPF exploits in 2023, and considering the fact it took several years to detect this sample, the need for better detection mechanisms on linux hosts (even appliances) remains critical, as well as a strong network segmentation, especially when hosts are exposed. And as always, patch your stuff in a timely manner…

For all the technical details, head to their report.

🧠 https://blog.lumen.com/taking-the-elevator-down-to-ring-0/