SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2022-03-15 12:19:11	cr8escape: Zero-day in CRI-O Container Engine Discovered by CrowdStrike (CVE-2022-0811) (lien direct)	CrowdStrike cloud security researchers discovered a zero-day vulnerability (dubbed âcr8escapeâ and tracked as CVE-2022-0811) in the Kubernetes container engine CRI-O. CrowdStrike disclosed the vulnerability to Kubernetes, which worked with CRI-O to issue a patch that was released today. It is recommended that CRI-O users patch immediately. CrowdStrike customers are protected from this threat by the […]	Vulnerability Threat	Uber
	2022-03-10 17:47:33	CVE-2022-26311 (lien direct)	Couchbase Operator 2.2.x before 2.2.3 exposes Sensitive Information to an Unauthorized Actor. Secrets are not redacted in logs collected from Kubernetes environments.		Uber
	2022-03-08 14:00:57	Unit 42 Discloses Newly Discovered Vulnerabilities in GKE Autopilot (lien direct)	Understand what recently discovered vulnerabilities and attack techniques in GKE Autopilot reveal about best practices for securing Kubernetes.		Uber
	2022-03-07 19:09:29	A 3,600-hour Nintendo Switch OLED test gets to the bottom of burn-in (lien direct)	YouTuber's test results provide potential good news for more than just the Switch.		Uber
	2022-03-03 14:15:07	CVE-2022-23648 (lien direct)	containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerdÃ¢â‚¬â„¢s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerdÃ¢â‚¬â„¢s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.		Uber
	2022-02-25 14:16:55	TeamTNT: Cryptocriminals Target Linux Servers, Kubernetes (lien direct)	Experiments also conducted on infiltrating Windows machines by the German speaking group – Charlie Osborne London – Feb. 25, 2022 The TeamTNT cybercriminal enterprise is actively striking Linux systems and Kubernetes builds in cryptojacking campaigns. Active since at least 2019, TeamTNT is considered something of		Uber
	2022-02-22 20:15:07	CVE-2022-23652 (lien direct)	capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious `Connection` header to start a privilege escalation attack towards the Kubernetes API Server. This vulnerability allows for an exploit of the `cluster-admin` Role bound to `capsule-proxy`. There are no known workarounds for this issue.	Vulnerability	Uber
	2022-02-17 13:29:28	Google Almost Doubles Linux Kernel, Kubernetes Zero-day Rewards (lien direct)	Google says it’s paying researchers for reporting vulnerabilities in its latest operating systems, including Google Kubernetes Engine (GKE), and that it’s offering bigger bonuses to those who report zero-day bugs and exploits. Google says it increased rewards to match the community’s expectations, but also that “because we consider the program a success,” they’re extending the […]		Uber
	2022-02-16 11:36:03	Google doubles bug bounties (lien direct)	Google has announced that they have doubled the rewards for anyone who can who can demonstrate working exploits for a range of zero-day and one-day vulnerabilities across a variety of platforms. The reward increases are applicable to exploits discovered in the Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF (Kubernetes-based infrastructure for capture the […]		Uber
	2022-02-15 20:01:00	Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Mobile Malware, APTs, Ransomware, Infostealers, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors? (published: February 9, 2022) A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets. Analyst Comment: This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel. MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Phishing - T1566 Tags: Transparent Tribe, Donot, SideWinder, Asia, Military, Government Fake Windows 11 Upgrade Installers Infect You With RedLine Malware (published: February 9, 2022) Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the 'Upgrade Now' button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more. Analyst Comment: Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack. MITRE ATT&CK: [MITRE ATT&CK] Video Capture - T1125 \| [MITRE ATT&CK] Input Capture - T1056 \| [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 Tags: RedLine, Windows 11, Infostealer	Ransomware Malware Tool Vulnerability Threat Guideline	Uber APT 43 APT 36 APT-C-17
	2022-02-15 19:09:27	Google Offering $91,000 Rewards for Linux Kernel, GKE Zero-Days (lien direct)	Technology giant Google is offering bigger cash awards for hackers reporting critical security flaws affecting the Linux Kernel, GKE, Kubernetes, and kCTF.		Uber
	2022-02-14 12:07:20	🌹 Roses are red, Violets are blue 💙 Giving leets 🧑‍💻 more sweets 🍭 All of 2022! (lien direct)	Posted by Eduardo Vela, Vulnerability Matchmaker Until December 31 2022 we will pay 20,000 to 91,337 USD for exploits of vulnerabilities in the Linux Kernel, Kubernetes, GKE or kCTF that are exploitable on our test lab.We launched an expansion of kCTF VRP on November 1, 2021 in which we paid 31,337 to 50,337 USD to those that are able to compromise our kCTF cluster and obtain a flag. We increased our rewards because we recognized that in order to attract the attention of the community we needed to match our rewards to their expectations. We consider the expansion to have been a success, and because of that we would like to extend it even further to at least until the end of the year (2022).During the last three months, we received 9 submissions and paid over 175,000 USD so far. The submissions included five 0days and two 1days. Three of these are already fixed and are public: CVE-2021-4154, CVE-2021-22600 (patch) and CVE-2022-0185 (writeup). These three bugs were first found by Syzkaller, and two of them had already been fixed on the mainline and stable versions of the Linux Kernel at the time they were reported to us.Based on our experience these last 3 months, we made a few improvements to the submission process:Reporting a 0day will not require including a flag at first. We heard some concerns from participants that exploiting a 0day in the shared cluster could leak it to other participants. As such, we will only ask for the exploit checksum (but you still have to exploit the bug and submit the flag within a week after the patch is merged on mainline). Please make sure that your exploit works on COS with minimal modifications (test it on your own kCTF cluster), as some common exploit primitives (like eBPF and userfaultfd) might not be available.Reporting a 1day will require including a link to the patch. We will automatically publish the patches of all submissions if the flag is valid. We also encourage you all to include a link to a Syzkaller dashboard report if applicable in order to help reduce duplicate submissions and so you can see which bugs were exploited already.You will be able to submit the exploit in the same form you submit the flag. If you had submitted an exploit checksum for a 0day, please make sure that you include the original exploit as well as the final exploit and make sure to submit it within a week after the patch is merged on mainline. The original exploit shouldn't require major modifications to work. Note that we need to be able to understand your exploit, so please add comments to explain what it is doing.We are now running two clusters, one on the REGULAR release channel and another one on the RAPID release channel. This should provide more flexibility whenever a vulnerability is only exploitable on modern versions of the Linux Kernel or Kubernetes.We are also changing the reward structure		Uber
	2022-02-10 16:39:04	SAP to Give Threat Briefing on Uber-Severe \'ICMAD\' Bugs (lien direct)	SAP's Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more.	Threat	Uber
	2022-02-06 13:49:13	Argo CD flaw could allow stealing sensitive data from Kubernetes Apps (lien direct)	A flaw in Argo CD tool for Kubernetes could be exploited by attackers to steal sensitive data from Kubernetes Apps. A zero-day vulnerability, tracked as CVE-2022-24348, in the Argo CD tool for Kubernetes could be exploited by attackers to steal sensitive data from Kubernetes Apps, including passwords and API keys. The flaw received a CVSS […]	Tool	Uber
	2022-02-06 12:12:00	Hacking : comment l\'esprit des origines a été perverti et uberisé par les géants de la tech (lien direct)	Un rapport de recherche revient aux origines de la recherche de failles de sécurité. On constate que l'esprit libertaire d'antan a été remplacé par une " uberisation " du hacking. Un autre monde est-il possible?		Uber
	2022-02-05 21:48:25	New Argo CD Bug Could Let Hackers Steal Secret Info from Kubernetes Apps (lien direct)	Users of the Argo continuous deployment (CD) tool for Kubernetes are being urged to push through updates after a zero-day vulnerability was found that could allow an attacker to extract sensitive information such as passwords and API keys. The flaw, tagged as CVE-2022-24348 (CVSS score: 7.7), affects all versions and has been addressed in versions 2.3.0, 2.2.4, and 2.1.9. Cloud security firm	Tool Vulnerability	Uber
	2022-02-04 18:30:00	Major Vulnerability Found in Argo CD (lien direct)	Malicious Kubernetes Helm Charts can be exploited to steal sensitive data	Vulnerability	Uber
	2022-02-04 18:26:07	Argo CD Security Bug Opens Kubernetes Cloud Apps to Attackers (lien direct)	The popular continuous-delivery platform has a path-traversal bug (CVE-2022-24348) that could allow cyberattackers to hop from one application ecosystem to another.		Uber
	2022-02-04 10:43:31	Argo CD vulnerability leaks sensitive info from Kubernetes apps (lien direct)	A vulnerability in Argo CD, used by thousands of orgs for deploying applications to Kubernetes, can be leveraged in attacks to disclose sensitive information such as passwords and API keys. [...]	Vulnerability	Uber
	2022-02-01 11:15:10	CVE-2020-8562 (lien direct)	As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Services, Pods, Nodes, or StorageClass service providers. As part of this mitigation Kubernetes does a DNS name resolution check and validates that response IPs are not in the link-local (169.254.0.0/16) or localhost (127.0.0.0/8) range. Kubernetes then performs a second DNS resolution without validation for the actual connection. If a non-standard DNS server returns different non-cached responses, a user may be able to bypass the proxy IP restriction and access private networks on the control plane.		Uber
	2022-01-31 23:11:00	CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit (lien direct)	On Jan. 18, 2022, researchers found a heap base buffer overflow flaw (CVE-2022-0185) in the Linux kernel (5.1-rc1+) function âlegacy_parse_paramâ of filesystem context functionality, which allows an out-of-bounds write in kernel memory. Using this primitive, an unprivileged attacker can escalate its privilege to root, bypassing any Linux namespace restrictions. CVE-2022-0185 Needs CAP_SYS_ADMIN This flaw is […]		Uber
	2022-01-29 18:05:52	Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams (lien direct)	Several articles here have delved into the history of John Bernard, the pseudonym used by a fake billionaire technology investor who's tricked dozens of start-ups into giving him tens of millions of dollars. Bernard's latest victim -- a Norwegian startup hoping to build a fleet of environmentally friendly shipping vessels -- is now embroiled in a lawsuit over a deal gone bad, in which Bernard falsely claimed to have secured $100 million from six other wealthy investors, including the founder of Uber and the artist Abel Makkonen Tesfaye, better known as The Weeknd.		Uber Uber
	2022-01-25 20:15:08	CVE-2022-0270 (lien direct)	Prior to v0.6.1, bored-agent failed to sanitize incoming kubernetes impersonation headers allowing a user to override assigned user name and groups.		Uber
	2022-01-25 11:56:28	Linux kernel bug can let hackers escape Kubernetes containers (lien direct)	A vulnerability affecting Linux kernel and tracked as CVE-2022-0185 can be used to escape Kubernetes containers, giving access to resources on the host system. [...]	Vulnerability	Uber
	2022-01-20 12:07:15	Smashing Security podcast #258: Tesla remote hijacks and revolting YouTubers (lien direct)	Carole's still on jury service, but the show must go on! We take a look at how some Tesla owners are at risk of having their expensive cars remotely hijacked, and why YouTubers are up in arms over NFTs. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault.		Uber
	2022-01-19 22:15:09	CVE-2022-21701 (lien direct)	Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects can escalate this privilege to create other resources that they may not have access to, such as `Pod`. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable. Users are advised to upgrade to resolve this issue. Users unable to upgrade should implement any of the following which will prevent this vulnerability: Remove the gateways.gateway.networking.k8s.io CustomResourceDefinition, set PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=true environment variable in Istiod, or remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users.	Vulnerability	Uber
	2022-01-18 07:10:35	Building your Kubernets Cluster For Cybersecurity Prototyping (lien direct)	Kubernets and server-less applications would be the biggest next things to protect. So it would be a great idea to start to get practice on such environment, especially if you had no previous opportunities. Here my post on how to build your first kubernets cluster based on Raspberry Pi4 ! Raspberry is a cheap and […]		Uber
	2022-01-11 17:57:10	You can no longer call an Uber with your Apple Watch (lien direct)	Uber is still available on the smartwatch, but you can't do anything with it.		Uber Uber
	2022-01-11 17:00:50	3 Kubernetes Risks and What to Do About Them (lien direct)	Today, speed trumps nearly everything when it comes to software development. And as digital business requirements evolve, developers are being asked to work even faster and with more agility than ever before. Take Netflix, for...		Uber	★★★★
	2022-01-05 20:49:37	Uber Bug, Ignored for Years, Casts Doubt on Official Uber Emails (lien direct)	A simple-to-exploit bug that allows bad actors to send emails from Uber's official system -- skating past email security -- went unaddressed despite multiple flagging by researchers.		Uber Uber
	2022-01-05 17:29:59	Le système de messagerie d\'Uber affecté par une faille critique ? (lien direct)	Dans l'actualité cette semaine : Un chercheur en cybersécurité a fait remonter à Uber - via sa plateforme de bug bounty - une potentielle faille de sécurité critique affectant le système de messagerie électronique de l'entreprise. La faille critique (une " injection HTML dans l'un des terminaux de messagerie d'Uber ") permettrait à des attaquants d'envoyer des emails de phishing – à l'aspect légitime – aux 57 millions d'utilisateurs et chauffeurs Uber. The post Le système de messagerie d'Uber affecté par une faille critique ? first appeared on UnderNews.		Uber Uber
	2022-01-04 13:44:32	Vulnerability lets anyone send emails from Uber.com (lien direct)	Researcher Seif Elsallamy recently discovered a vulnerability in Uber’s emailing system, which allows anyone to send an email on behalf of the company. If exploited, threat actors would be able to email the 57 million Uber users and drivers whose data was leaked in the 2016 data breach. Uber has been made aware of the […]	Vulnerability Threat	Uber Uber
	2022-01-02 09:48:35	(Déjà vu) Uber ignores vulnerability that lets you send any email from Uber.com (lien direct)	A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber. Uber is aware of the flaw but has decided not to fix it for now. [...]	Vulnerability	Uber Uber
	2022-01-02 09:48:35	Uber dismisses vulnerability that lets you email anyone as Uber! (lien direct)	A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber. Uber is aware of the flaw but has decided not to fix it. [...]	Vulnerability	Uber Uber
	2021-12-27 22:15:07	CVE-2021-43858 (lien direct)	MinIO is a Kubernetes native application for cloud storage. Prior to version `RELEASE.2021-12-27T07-23-18Z`, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version `RELEASE.2021-12-27T07-23-18Z` changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit `Deny` rule to disable the API for users.		Uber
	2021-12-24 10:25:00	Former Uber CSO Faces New Charge for 2016 Breach (lien direct)	US feds accuse Joe Sullivan of using bug bounty to conceal 2016 hack and breach	Hack	Uber Uber
	2021-12-17 21:13:00	Neuberger: Change Your Passwords Now (lien direct)	Cybersecurity official shares tips for cutting risk ahead of the holidays		Uber
	2021-12-08 21:50:52	Expert: Businesses are feeling the pressure to implement real-time analytics to keep up (lien direct)	Disrupters like Uber and DoorDash are putting the squeeze on the rest. More organizations are operationalizing real-time data, and it's changing how they operate.		Uber Uber
	2021-12-02 19:46:16	Snort 3 Anywhere (lien direct)	Cisco has launched Snort 3 Anywhere - Making it officially available in a container form factor to be consumed in customer's Kubernetes cluster either running on AWS or On-prem.		Uber
	2021-12-02 15:00:00	Exploring Container Security: A Storage Vulnerability Deep Dive (lien direct)	Posted by Fabricio Voznika and Mauricio Poppe, Google Cloud Kubernetes Security is constantly evolving - keeping pace with enhanced functionality, usability and flexibility while also balancing the security needs of a wide and diverse set of use-cases.Recently, the GKE Security team discovered a high severity vulnerability that allowed workloads to have access to parts of the host filesystem outside the mounted volumes boundaries. Although the vulnerability was patched back in September we thought it would be beneficial to write up a more in-depth analysis of the issue to share with the community.We assessed the impact of the vulnerability as described in vulnerability management in open-source Kubernetes and worked closely with the GKE Storage team and the Kubernetes Security Response Committee to find a fix. In this post we'll give some background on how the subpath storage system works, an overview of the vulnerability, the steps to find the root cause and the fix, and finally some recommendations for GKE and Anthos users.Kubernetes Filesystems: Intro to Volume SubpathThe vulnerability, CVE-2021-25741, was caused by a race condition during the creation of a subpath bind mount inside a container, and allowed an attacker to gain unauthorized access to the underlying node filesystem and its sensitive files. We'll describe how that system is supposed to work, and then talk about the vulnerability.The volume subpath feature in Kubernetes enables sharing a volume in multiple containers inside a pod. For example, we could create a Pod with an InitContainer that creates directories with pre-populated data in a mounted filesystem volume. These directories can then be used by containers in the same Pod by mounting the same volume and optionally specifying a subpath field to limit what's visible inside the container.While there are some great use cases for this feature, it's an area that has had vulnerabilities discovered in the past. The kubelet must be extra cautious when handling user-owned subpaths because it operates with privileges in the host. One vulnerability that has been previously discovered involved the creation of a malicious workload where an InitContainer would create a symlink pointing to any location in the host. For example, the InitContainer could mount a volume in /mnt and create a symlink /mnt/attack inside the container pointing to /etc. Later in the Pod lifecycle, another container would attempt to mount the same volume with subpath attack. While preparing the volumes for the container, the kubelet would end up following the symlink to the host's /etc instead of the container's /etc, unknowingly exposing the host filesystem to the container. A previous fix made sure that the subpath mount location is resolved and validated to point to a location inside the base volume and that it's not changeable by the user in between the time the path was validated and when the container runtime bind mounts it. This race condition is known as time of check to time of use (TOCTOU) where the subject being validated changes after it has been validated.These validations and others are summarized in the following container lifecycle sequence diagram.	Vulnerability	Uber
	2021-11-26 12:14:27	Serverless offerings like AWS Lambda haven\'t hit the big time, but Kubernetes can help (lien direct)	Commentary: Serverless has failed to hit its potential, Corey Quinn argues. Containers may help to change that.		Uber
	2021-11-19 19:01:09	Enterprises get closer to the app store experience with Kubernetes and GitOps (lien direct)	Commentary: The big enterprise problem isn't running hundreds of apps across multiple clouds; no, the big problem is running the same app consistently on just one cloud or data center.		Uber
	2021-11-18 20:41:57	Master Kubernetes, React, AWS and more valuable cloud skills with this training (lien direct)	You don't need to go back to school or spend a lot of money to acquire skills that can send your career soaring. You can just learn all about the cloud from self-paced courses.		Uber
	2021-11-17 19:15:09	CVE-2021-43979 (lien direct)	DISPUTED Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 mishandles concurrency, sometimes resulting in incorrect access control. The data replication mechanism allows policies to access the Kubernetes cluster state. During data replication, OPA/Gatekeeper does not wait for the replication to finish before processing a request, which might cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster. Inconsistency can later be reflected in a policy bypass. NOTE: the vendor disagrees that this is a vulnerability, because Kubernetes states are only eventually consistent.		Uber
	2021-11-15 21:15:07	CVE-2021-41266 (lien direct)	Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.		Uber
	2021-11-12 18:15:07	CVE-2021-41254 (lien direct)	kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. In affected versions multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue. This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the `kubectl` binary has been removed from the container image. To prevent the creation of Kubernetes Service Accounts with `secrets` in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used.	Vulnerability	Uber
	2021-11-11 13:13:06	ClusterFuzzLite: Continuous fuzzing for all (lien direct)	Posted by Jonathan Metzman, Google Open Source Security TeamIn recent years, continuous fuzzing has become an essential part of the software development lifecycle. By feeding unexpected or random data into a program, fuzzing catches bugs that would otherwise slip through the most thorough manual checks and provides coverage that would take staggering human effort to replicate. NIST's guidelines for software verification, recently released in response to the White House Executive Order on Improving the Nation's Cybersecurity, specify fuzzing among the minimum standard requirements for code verification.Today, we are excited to announce ClusterFuzzLite, a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed, enhancing the overall security of the software supply chain.Since its release in 2016, over 500 critical open source projects have integrated into Google's OSS-Fuzz program, resulting in over 6,500 vulnerabilities and 21,000 functional bugs being fixed. ClusterFuzzLite goes hand-in-hand with OSS-Fuzz, by catching regression bugs much earlier in the development process.Large projects including systemd and curl are already using ClusterFuzzLite during code review, with positive results. According to Daniel Stenberg, author of curl, “When the human reviewers nod and have approved the code and your static code analyzers and linters can't detect any more issues, fuzzing is what takes you to the next level of code maturity and robustness. OSS-Fuzz and ClusterFuzzLite help us maintain curl as a quality project, around the clock, every day and every commit.”With the release of ClusterFuzzLite, any project can integrate this essential testing standard and benefit from fuzzing. ClusterFuzzLite offers many of the same features as ClusterFuzz, such as continuous fuzzing, sanitizer support, corpus management, and coverage report generation. Most importantly, it's easy to set up and works with closed source projects, making ClusterFuzzLite a convenient option for any developer who wants to fuzz their software.		Uber
	2021-11-01 12:41:31	Trick & Treat! 🎃 Paying Leets and Sweets for Linux Kernel privescs and k8s escapes (lien direct)	Posted by Eduardo Vela, Google Bug Hunters Team Starting today and for the next 3 months (until January 31 2022), we will pay 31,337 USD to security researchers that exploit privilege escalation in our lab environment with a patched vulnerability, and 50,337 USD to those that use a previously unpatched vulnerability, or a new exploit technique.We are constantly investing in the security of the Linux Kernel because much of the internet, and Google-from the devices in our pockets, to the services running on Kubernetes in the cloud-depend on the security of it. We research its vulnerabilities and attacks, as well as study and develop its defenses.But we know that there is more work to do. That's why we have decided to build on top of our kCTF VRP from last year and triple our previous reward amounts (for at least the next 3 months).Our base rewards for each publicly patched vulnerability is 31,337 USD (at most one exploit per vulnerability), but the reward can go up to 50,337 USD in two cases:If the vulnerability was otherwise unpatched in the Kernel (0day)If the exploit uses a new attack or technique, as determined by GoogleWe hope the new rewards will encourage the security community to explore new Kernel exploitation techniques to achieve privilege escalation and drive quicker fixes for these vulnerabilities. It is important to note, that the easiest exploitation primitives are not available in our lab environment due to the hardening done on Container-Optimized OS. Note this program complements Android's VRP rewards, so exploits that work on Android could also be eligible for up to 250,000 USD (that's in addition to this program).The mechanics are:Connect to the kCTF VRP cluster, obtain root and read the flag (read this writeup for how it was done before, and this threat model for inspiration), and then submit your flag and a checksum of your exploit in this form.(If applicable) report vulnerabilities to upstream.We strongly recommend including a patch since that could qualify for an additional reward from our Patch Reward Program, but please report vulnerabilities upstream promptly once you confirm they are exploitable.Report your finding to Google VRP once all patches are publicly available (we don't want to receive details of unpatched vulnerabilities ahead of the public.)Provide the exploit code and the algorithm used to calculate the hash checksum.A rough description of the exploit strategy is welcome.Reports will be triaged on a weekly basis. If anyone has problems with the lab environment (if it's unavailable, technical issues or other questions), contact us on Discord in #kctf. You can read more details about the program here. Happy hunting!		Uber
	2021-11-01 10:02:01	Java, microservices, Docker and Kubernetes: Learn to use them to create an efficient enterprise (lien direct)	If companies get too far behind the curve when adapting to cloud infrastructure, they are giving competitors an unnecessary edge. This five-book masterclass can get you on track.		Uber
	2021-10-20 11:49:39	Google: YouTubers\' accounts hijacked with cookie-stealing malware (lien direct)	Google says YouTube creators have been targeted with password-stealing malware in phishing attacks coordinated by financially motivated threat actors since at least late 2019. [...]	Malware	Uber

Last update at: 2024-05-10 09:08:22
See our sources.

To see everything: Our RSS (filtrered)