2024-07-04, 10:35–11:10 (Europe/Paris), Amphitheater
Kubernetes clusters rely on TLS for secure and authenticated internal communication. However, managing TLS certificates in such environments can be complex. Kubernetes offers built-in mechanisms to handle certificate signature and distribution to ease this challenge. Bootstrap tokens play an important role in this process, serving as initial identifiers that enable certificate signing requests. Typically, these requests are automatically approved and signed. As often in security, this ease of use implies the emergence of attack vectors.
This presentation will delve into the mechanics of Kubernetes authentication and bootstrap tokens to highlight exploitation possibilities of such tokens.
Inspired by Marc Wickenden's research on Google GKS TLS Bootstrapping, we will demonstrate a new attack in AKS clusters (Azure), that will not be fixed by Microsoft.
The presentation will be conducted as follows :
- A quick introduction about the speakers.
- A quick introduction to Kubernetes: master/node, control plane parts, Kubelet.
- A description of the TLS communication between these parts which will lead to the authentication mechanisms: x509, jwt, user/password.
- A brief overview of authorization management in Kubernetes with a focus on the special node authorization mode.
- The presentation of CertificateSigningRequest (CSR) and bootstrap tokens to resolve the distribution of certificate issue. We will demonstrate the deployment of a cluster with Kubeadm
- Azure AKS application of the attack:
- Presentation of the setup and prerequisites.
- Discussion about the deployment mechanism of new node in AKS.
- Retrieval and exploitation of the bootstrap token.
- Privileges escalation to cluster admin.
- Microsoft response to our advisory.
- Mitigation proposal.
Hi, I'm Kévin Schouteeten, a pentester at Synacktiv, a French company dedicated to offensive information security. Over the last 16 years (yes, I'm old), I've had multiple careers, first as a developer, then as a malware analyst, and now as a penetration tester. Since joining Synacktiv, I've been able to work with a wide variety of technologies, but this latest discovery regarding Azure environments and Kubernetes has pushed me to prepare this talk.
Hi, I'm Paul Barbé, a pentester and red team operator at Synacktiv, a French firm dedicated to offensive information security. Over the last 4 years, I have participated in a wide variety of offensive assessments, which has led me to develop an interest in cloud technologies. I share the knowledge I've gained about these technologies by serving as a trainer for our clients and student clubs.
I have published some advisories in the past, such as https://www.synacktiv.com/sites/default/files/2023-02/Advisory_Oracle_APS_JAPI_Lack_Access_Control_2021.pdf or https://www.synacktiv.com/sites/default/files/2023-06/synacktiv-ucopia-multiple-vulnerabilities-2022.pdf. This will be my first time sharing my research with the community, and I am both excited and hopeful to present my findings at the conference.