pts2024

Kubernetes clusters rely on TLS for secure and authenticated internal communication. However, managing TLS certificates in such environments can be complex. Kubernetes offers built-in mechanisms to handle certificate signature and distribution to ease this challenge. Bootstrap tokens play an important role in this process, serving as initial identifiers that enable certificate signing requests. Typically, these requests are automatically approved and signed. As often in security, this ease of use implies the emergence of attack vectors.

This presentation will delve into the mechanics of Kubernetes authentication and bootstrap tokens to highlight exploitation possibilities of such tokens.
Inspired by Marc Wickenden's research on Google GKS TLS Bootstrapping, we will demonstrate a new attack in AKS clusters (Azure), that will not be fixed by Microsoft.

In the landscape of software development, leveraging open-source libraries and packages through registries like NPM, PyPI, Go modules, and Crates for Rust has become standard practice. This approach facilitates the rapid integration of diverse functionalities into applications, driving both innovation and efficiency across the development community. While the benefits of using these resources are clear, the management of external dependencies introduces a set of considerations regarding security and maintainability.

Inspired by Alex Birsan's blogpost on Dependancy confusion, we are going to introduce the tool Depfuzzer. This tool enables the search for failing dependencies across various projects.

The tool will initially list all the dependencies of the projects and then gather information for each of them from the website https://deps.dev/. From there, it is possible to determine if a dependency exists and is still maintained.

Other checks have also been added, such as the validity of the maintainer's email, for example.