Tool Release – insject: A Linux Namespace Injector

tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters. While … Continue reading Tool Release – insject: A Linux Namespace Injector →

Detection Engineering for Kubernetes clusters

Written by Ben Lister and Kane Ryans This blog post details the collaboration between NCC Group's Detection Engineering team and our Containerisation team in tackling detection engineering for Kubernetes. Additionally, it describes the Detection Engineering team's more generic methodology around detection engineering for new/emerging technologies and how it was used when developing detections for Kubernetes-based … Continue reading Detection Engineering for Kubernetes clusters →

NSA & CISA Kubernetes Security Guidance – A Critical Review

Last month, the United States' National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report (CTR) detailing the security hardening they recommend be applied to Kubernetes clusters, which is available here. The guidance the document contains is generally reasonable, but there are several points which are either incorrect or … Continue reading NSA & CISA Kubernetes Security Guidance – A Critical Review →

Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes

Wubes is like Qubes but for Microsoft Windows. The idea is to leverage the Windows Sandbox technology to spawn applications in isolation. We currently support spawning a Windows Sandbox for the Firefox browser, with other applications easily added.

ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again

This post is a technical discussion of the underlying vulnerability of CVE-2020-15257, and how it can be exploited. Our technical advisory on this issue is available here, but this post goes much further into the process that led to finding the issue, the practicalities of exploiting the vulnerability itself, various complications around fixing the issue, … Continue reading ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again →

Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)

Vendor: containerd Project Vendor URL: https://containerd.io/ Versions affected: 1.3.x, 1.2.x, 1.4.x, others likely Systems Affected: Linux Author: Jeff Dileo CVE Identifier: CVE-2020-15257 Advisory URL: https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4 Risk: High (full root container escape for a common container configuration) Summary containerd is a container runtime underpinning Docker and common Kubernetes configurations. It handles abstractions related to containerization and … Continue reading Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257) →

The CIS Security Standard for Docker available now

This is just a short blog post to announce the availability of the new CIS Security Standard for Docker 1.12 which NCC Group was involved in co-authoring and contributing to. The Docker project (and containerisation as a concept in general) has become a hot topic in various aspects of IT over the last few years. … Continue reading The CIS Security Standard for Docker available now →

Adventures in Xen Exploitation

tl;dr This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217). This issue was patched in June 2012 and was disclosed in Xen Security Advisory 7 [1]. The bug was found by Rafal Wojtczuk and Jan Beulich. Rafal gave a talk about it at BlackHat USA 2012, [2][3]. Xen versions unpatched … Continue reading Adventures in Xen Exploitation →