Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)

Vendor: containerd Project Vendor URL: https://containerd.io/ Versions affected: 1.3.x, 1.2.x, 1.4.x, others likely Systems Affected: Linux Author: Jeff Dileo CVE Identifier: CVE-2020-15257 Advisory URL: https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4 Risk: High (full root container escape for a common container configuration) Summary containerd is a container runtime underpinning Docker and common Kubernetes configurations. It handles abstractions related to containerization and … Continue reading Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)

Conference Talks – November 2020

This month, members of NCC Group will be presenting their work at the following conferences: Sourya Biswas, "Cybersecurity is War: Lessons from Historical Conflicts," to be presented at BSidesCT (Virtual - November 14 2020) Ian Coldwater (Independent), Duffie Cooley, Brad Geesaman (Darkbit), and Rory McCune (NCC Group), "Keynote: SIG-Honk AMA Panel: Hacking and Hardening in … Continue reading Conference Talks – November 2020

Tool Release – ScoutSuite 5.10

We’re proud to announce the release of a new version of our open-source, multi-cloud auditing tool ScoutSuite (on Github)! Notable improvements and features include: CoreBreaking change: support for Python 3.5 has been deprecatedMoved unit tests from nose to pytest & improved coverageBug fixes and improved error handlingAWSCreated a ruleset for the AWS CIS Benchmark version 1.2Can … Continue reading Tool Release – ScoutSuite 5.10

Conference Talks – October 2020

This month, members of NCC Group will be presenting their work at the following conferences: Dirk-Jan Mollema, "Walking Your Dog in Multiple Forests: Breaking AD Trust Boundaries through Kerberos Vulnerabilities," to be presented at Black Hat Asia 2020 (Virtual - October 1 2020)Sanne Maasakkers, "Improve Security Awareness Campaigns by Applying Phishing Research," to be presented … Continue reading Conference Talks – October 2020

Conference Talks – September 2020

This month, NCC Group researchers will be presenting their work at the following conferences: Rami McCarthy, "AWS Security: Easy Wins and Enterprise Scale," to be presented at BSides Boston (Virtual - September 26 2020)Dirk-Jan Mollema, "Walking Your Dog in Multiple Forests: Breaking AD Trust Boundaries through Kerberos Vulnerabilities," to be presented at Black Hat Asia … Continue reading Conference Talks – September 2020

The Extended AWS Security Ramp-Up Guide

On November 25th, AWS released the Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance. The Security Ramp-Up is a curated list of educational AWS resources. The goal is "to teach in-demand cloud skills and real-world knowledge that you can rely on to keep up with cloud security, governance, and compliance developments and grow … Continue reading The Extended AWS Security Ramp-Up Guide

A Survey of Istio’s Network Security Features

Istio is a service mesh, which, in general, exist as a compliment to container orchestrators (e.g. Kubernetes) in order to provide additional, service-centric features surrounding traffic management, security, and observability. Istio is arguably the most popular service mesh (using GitHub stars as a metric). This blog post assumes working familiarity with Kubernetes and microservices, but … Continue reading A Survey of Istio’s Network Security Features

Conference Talks – March 2020

This month, members of NCC Group will be presenting their work at the following conferences: Adam Rudderman, "Bug Bounty: Why is this happening?" presented at Nullcon Goa (Goa, India - March 3-7 2020) Rob Wood, "[Panel]: CSIS Security Panel Discussion," presented at OCP Global Summit (San Jose, CA - March 4-5 2020) Rory McCune, "[Training]: … Continue reading Conference Talks – March 2020

Deep Dive into Real-World Kubernetes Threats

On Saturday, February 1st, I gave my talk titled “Command and KubeCTL: Real-World Kubernetes Security for Pentesters” at Shmoocon 2020. I’m following up with this post that goes into more details than I could cover in 50 minutes. This will re-iterate the points I attempted to make, walk through the demo, and provide resources for … Continue reading Deep Dive into Real-World Kubernetes Threats

Conference Talks – February 2020

This month, members of NCC Group will be giving the following 6 conference presentations: Mark Manning, "Command and KubeCTL: Real-World Kubernetes Security for Pentesters" presented at Shmoocon (Washington, DC - January 31-February 2 2020)Clint Gibler, "How to 10X Your Company’s Security (Without a Series D)," presented at BSidesSF (San Francisco, CA - February 22-24 2020) Clint Gibler, … Continue reading Conference Talks – February 2020