BSidesTLV 2024 - "I Own your Cluster" -Taking over AWS clusters using Chain Attack

Описание: Speaker: Chen Shiri

In this talk, we explore my research into AWS Elastic Kubernetes Service (EKS) that identifies critical vulnerabilities in the service. The talk will focus on two significant security flaws that pose considerable risks to thousands of EKS clusters. We’ll delve into a sophisticated chain attack methodology I’ve developed, which exploits these vulnerabilities to take over Kubernetes nodes and clusters. This attack exposes the risk of unauthorized access and data compromise within Kubernetes environments on AWS. The session will detail how attackers, even with restricted permissions, can bypass existing security measures, breach secured pods, and gain access to the privileged KubeAPI. We will also dissect the AWS EKS architecture, pinpointing the crucial components that facilitate these attacks, thus providing attendees with a deep understanding of the attack chain’s intricacies and its leverage over AWS cloud infrastructure. Session Details: The talk offers critical insights into a significant cybersecurity challenge affecting AWS Elastic Kubernetes Service (EKS). My research reveals two zero-day vulnerabilities that compromise the pod isolation mechanism, potentially impacting numerous organizations.

Key Findings from the Talk: 1. Critical Vulnerabilities: We identify two zero-day vulnerabilities within AWS EKS that allow attackers with limited access to bypass security measures and gain access to privileged KubeAPI and the cluster data. 2. Chain Attack Methodology: The chain attack methodology developed for this research leverages the vulnerabilities to showcase a systemic failure within AWS EKS security. It utilizes instance metadata, Kubernetes capabilities, and AWS mechanisms to gain comprehensive control over entire clusters. 3. Implications: The vulnerabilities discussed carry severe consequences, potentially leading to unauthorized access to sensitive information. 4. Proof of Concept: A live proof of concept video is included in the talk, which clearly demonstrates the execution of the attack, emphasizing the critical need for immediate remediation of these vulnerabilities. Technical Details: • Instance Metadata Exploitation: The attack exploits instance metadata by querying data from the EC2 VM Role, which is accessible from containers within the Kubernetes environment. Through this, an attacker obtains a temporary token and gains access to extensive information about the cloud environment, including ARNs, networking details, and instance-specific data. • Kube-Config Manipulation: By manipulating Kube-Config files, the attacker retrieves and uses information that grants unauthorized access to the Kubernetes cluster, facilitating interaction with the Kubernetes API and providing detailed insights into the cluster’s structure. • Pod Access and Breakout: Successfully breaching pod security, the attacker implements a breakout strategy, gaining access to the node and subsequently to all containers, their data, secrets, and authentication credentials.