漏洞描述
Checks for containers running with the allowPrivilegeEscalation flag enabled, which can increase security risks by allowing privileges to be escalated
k8s-allow-privilege-escalation-set: Containers run with allowPrivilegeEscalation enabled
PoC代码[已公开]
id: k8s-allow-privilege-escalation-set
info:
name: Containers run with allowPrivilegeEscalation enabled
author: princechaddha
severity: critical
description: Checks for containers running with the allowPrivilegeEscalation flag enabled, which can increase security risks by allowing privileges to be escalated
impact: |
Enabling allowPrivilegeEscalation in container deployments can result in elevated privileges, potentially allowing attackers to gain further access to host resources. This poses significant security risks.
remediation: Ensure that the allowPrivilegeEscalation flag is set to false in all container configurations to minimize security risks
reference:
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
tags: cloud,devops,kubernetes,security,devsecops,containers,k8s,k8s-cluster-security
flow: |
code(1);
for (let container of template.items) {
set("container", container)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get pods --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[] | {pod: .metadata.name, containers: .spec.containers}'
javascript:
- code: |
let podData = JSON.parse(template.container);
podData.containers.forEach(container => {
if (container.securityContext && container.securityContext.allowPrivilegeEscalation === true) {
let result = (`Container '${container.name}' in pod '${podData.pod}' running with allowPrivilegeEscalation enabled.`);
Export(result);
}
});
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a0047304502202a429cde4b8fa211681a05274c7f415478742d7759267a1f68169a7e385a7759022100818f20a09ec427a2a2befa5528f3075acc4abae50aef7a0ae372cee4bcf10e8f:922c64590222798bb761d5b6d8e72950