Cloud Native

Containers are (Not) Doomed Because of Dirty Cow, and Why Identity Management is Important For Mitigation

January 2, 2017

by

Marc Boorshtein

OK, sorry for the click bait style headline but for the first blog of the new year I thought I’d have some fun. I came across a blog post on twitter from @geek_king about this real nasty bug in the kernel that can give you root access to the host server, breaking out of your container. Is this a big deal if you are using a container orchestration system like OpenShift or Kubernetes? It really could be since both give you the ability to deploy a container and use a remote shell to login to that container. Before we go too much further a few points:

  1. The kernel has been patched by Red Hat (and I’m assuming other vendors) so PATCH YOUR SYSTEMS!
  2. You should be limiting which containers can be pulled onto your OpenShift/Kubernetes cluster via only allowing from trusted registries so that would help mitigate this as well

That being said, nothing is fool proof:

  1. There will be new exploits found that let you break out of containers because, well, thats just how these things go
  2. A private docker registry is just a webapp, nothing could possibly be comprisable there, right?
  3. People need to login to both systems to do development, deployments, maintenance, etc….

OpenShift

Lets first look at OpenShift and how a break out compromise could happen, what the impact would be and possible mitigations particular to identity management.  Here’s a very basic OpenShift deployment:

This architecture assumes we’re using LDAPS for OpenShift to authenticate to FreeIPA AND you are using FreeIPA and SSSD on all of the servers supporting OpenShift.  How would someone be able to exploit a container breakout?  There are several points of entry:

  1. How well locked down are Active Directory and FreeIPA?
  2. Is the secure container registry, well, secure?
  3. Are users disabled when they no longer need access?

Maybe an employee or contractor gets caught in a phishing campaign and those credentials get them into your network and those credentials have access to OpenShift (but NOT the underlying servers).  I know, many “ifs” but networks are complex and complexity is the enemy of security (well amongst others).   I have these credentials and I login to OpenShift using the web console and I can get an rsh console into a container, a wordpress website used by one of the business orgs.  Now that we’re in, we have the ability to get to the outside world and can pull in a binary with this exploit and use it to break out.  From here we could cause all sorts of mayhem.  Also, if there are private keys on the server that are associated with public keys in FreeIPA I could have access to other servers as well!

Now, where does identity management come in to help mitigate this disaster?

  1. Hopefully you are requiring authorization before anyone can access OpenShift
  2. If credentials are compromised and identity solution can disable them quickly
  3. An identity system would let you re-certify access to OpenShift, so if someone leaves the team or the company their access doesn’t leave open a hole that can be exploited
  4. After the breach occurs, you’ll want to know why the credential had access, and who granted it
  5. Multi factor authentication could also help

#1, #2 and potentially #3 could be handled by FreeIPA to a degree.  FreeIPA can disable access quickly, remove keys, and be used to track some authorizations.  What it can’t do is provide access recertification, workflow based approvals or direct integration with OpenShift authorizations.  Thats where Unison or OpenUnison would come in.  Setting up a self service solution for identity management that directly integrates with OpenShift would let you quickly see who has access and why, when access was approved and quickly disable access.  It could also be used to re-certify access periodically and integrate with additional second factors not supported by FreeIPA (such as Symantec VIP).

Kubernetes

What if you’re using standard Kubernetes?  Everything still applies!  If you’re using certificates for authentication its actually much worse because you can’t apply a CRL right now so unless you disable the CA there’s no mechanism to disable access.  OpenID Connect integration would help mitigate this, but all of the issues with OpenShift described above would apply to Kubernetes as well.  Identity management could really help mitigate this breach.

Conclusions

Even though the headline indicates its the end of the world, it isn’t.  There are many ways break out attacks could work in the wild and they clearly wouldn’t be the first target of a script kiddie joy riding on a Friday night, but a determined attacker could sure use this as a vector to get into a larger network.  I hope you enjoyed this thought exercise and if you’d like to try an identity management solution, we happen to have one.  Try out Unison or the open source version OpenUnison!

Related Posts

June 13, 2022
Using Okta with Kubernetes
Combine OpenUnison and Okta for a simple and powerful access solution for Kubernetes. Combine CLI access and the dashboard to provide a unified login system for your Kubernetes clusters and control access using Okta groups.
Cloud Native
June 13, 2022
Amazon EKS and OIDC
Amazon EKS now supports OpenID Connect! This post will take you through the setup and configuration of integrating your cluster with Okta and OpenUnison.
Cloud Native
February 15, 2021
Pipelines and Kubernetes Authentication
Don't use ServiceAccount tokens in your external pipelines. Learn why you shouldn't use ServiceAccount tokens and how to properly authenticate your pipelines to your Kubernetes cluster.
Cloud Native
September 1, 2020
Building a Developer Portal
Integrate the applications that manage your cluster, like ArgoCD, into your OpenUnison deployment to give your developers and admins a central portal for accessing those applications.
Cloud Native
August 24, 2020
Building a Multi Cluster Authentication Portal
Quickly build a multi-cluster authentication portal for all your clusters, both on-premises and managed in the cloud. In this blog post we'll walk you through creating an authentication portal for accessing all your clusters and dashboards from a single site.
Cloud Native
July 21, 2020
Kubectl without Configuration Files
Login to your clusters with no upfront configuration!
Cloud Native
May 5, 2020
Multi-tenant Amazon EKS - The Easy Way - Part I: Authentication
Use Active Directory to login to your Amazon EKS clusters and use AD groups to authorize access to your cluster.
Cloud Native
April 21, 2020
Kubernetes Impersonation, DUO, Okta, and AzureAD in OpenUnison 1.0.18
New features in OpenUnison 1.0.18 - Kubernetes Impersonation, Prometheus metrics, Okta and AzureAD support.
Cloud Native
March 3, 2021
Kubernetes and Active Directory with Canonical
Use OopenUnison to integration Active Directory and Cononical's Kubernetes Distribution!
Cloud Native
April 12, 2020
Beyond RBAC in OpenShift – Open Policy Agent
Cloud Native
February 21, 2020
Automate OpenShift Identity Management and Project Deployment with Unison 1.0.10
Cloud Native
February 21, 2020
Containers are (Not) Doomed Because of Dirty Cow, and Why Identity Management is Important For Mitigation
Cloud Native
April 13, 2020
Unison 1.0.8 Available
Cloud Native
February 24, 2020
Kubernetes on Raspberry Pi II – Networking
Cloud Native
February 24, 2020
Building an Identity Enabled Kubernetes Cluster on Raspberry Pi
Cloud Native
February 24, 2020
Missed Google DevFestDC? Here’s My Talk on Kubernetes Identity Management
Cloud Native
February 24, 2020
Kubernetes Identity Management Part II – RBAC and User Provisioning
Cloud Native
March 20, 2020
Open Source Identity Manager for Red Hat Identity Management and FreeIPA
Cloud Native
April 12, 2020
Kubernetes Identity Management - Part I : SSO
Cloud Native
April 12, 2020
Details on our OpenShift Demo
Cloud Native
June 2, 2020
Multi-tenant Amazon EKS The Easy Way - Part II : Provisioning Namespaces
Automate the creation of namespaces and on-boarding of users for EKS with a self-service portal that takes administrators out of user management.
Cloud Native
December 14, 2020
Is Kubernetes Multi-Tenant?
Building a multi-tenant cluster will lead to better experience for your customers and an overall more secure platform. In this blog post learn why Kubernetes is an important part of a multi-tenant platform.
Cloud Native
January 5, 2021
OpenUnison Operator 2.0, New Helm Charts, and Portal Updates
OpenUnison includes better support for long term management, NetworkPolicies, and more!
Cloud Native
April 13, 2021
Secure Access to Kubernetes From Your Pipeline
Secure access to Kubernetes from your pipelines without a third party identity provider
Cloud Native
March 21, 2022
What the NSA and CISA Left Out of Their Kubernetes Hardening Guide
See what the NSA and CISA left out of their Kubernetes hardening guide for authentication and authorization!
Cloud Native
view all
solutions For
PRODUCTS
resources
company
contact
Enterprise Applications
OpenUnison
Blog
About Us
Contact Us
Customer Identity Access Management
Orchestra
Client Portal
Leadership
Receive Email Updates
free demo
OpenShift
Downloads
MyVirtualDirectory
Infrastructure & DevOps
Documentation
Content
Kubernetes
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

CALL

Phone. +1 703 844 2727

CONNECT

Drop us a line

ADDRESS

5810 Kingstowne Center Dr
STE #120-427
Alexandria, VA 22315

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form
(c) 2020 Tremolo Security, Inc. All rights reserved.
|
|
Connect with US
(c) 2020 Tremolo Security, Inc. All rights reserved.
Privacy
terms & conditions
Sign up for Tremolo emails and  content updates
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.