This week in cloud news: 7/26/21
This week we've got lots of noise about security holes, and a surprise from Microsoft.
Server and Kubernetes security in the spotlightSeveral security issues made the news last week, with the worst of it surrounding two vulnerabilities within Linux itself. The first is part of the Linux kernel, and the second is in the systemd utility.
Put simply, the Sequoia vulnerability lets an ordinary user use extremely long mount paths to give themselves root privileges and take over the system. As Steven J. Vaughan-Nichols writes in ZDNet, "Pretty much any Linux distro is vulnerable to this trick," but the problem has been fixed starting with kernel version 5.13.4, and patches exist for previous versions, so upgrade as soon as you can.
"If you can't upgrade your kernel," Vaughan-Nichols continues, "you can still mitigate the problem by setting /proc/sys/kernel/unprivileged_userns_clone to 0. ... You should also set /proc/sys/kernel/unprivileged_bpf_disabled to 1." He does point out, though, that this might not completely protect you. "The only sure way to stop this security hole in its tracks is to update your kernel."
Sequoia was discovered by the researchers at Qualsys, who also found a similar problem with systemd. In this case, mounting a huge file path can crash the entire server. Fortunately, fixes for this problem are also available and ready for installation.
Unfortunately, the hits just keep on coming. Even if your servers are properly secured, researchers have discovered that improperly configured Argo Workflows deployments can expose your Kubernetes clusters.
Argo Workflows is "an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes," and researchers discovered that “In many instances, permissions are configured which allow any visiting user to deploy workflows,” according to Intezer security researchers Ryan Robinson and Nicole Fishbein.
In addition to running malicious workloads, hackers can potentially access "code, credentials and private container-image names (which can be used to assist in other kinds of attacks)."
Prevention is a matter of good hygiene; simply put, Workflows should be configured to prevent anonymous access, or should be installed on servers that are not available outside of your trusted environment. (Or preferably, both.)
And while we're on the topic, developers of the Helm Kubernetes package manager discovered a vulnerability of their own that allowed usernames and passwords to be passed from one domain used by an image repository to another. This one's easy to fix: upgrade Helm.
With technology moving so fast, it's impossible for anyone to really be able to plug all the holes, but if you're starting to feel like there might be some kind of "knowledge gap" out there, you're not far wrong. This week Aqua Security released a survey of 150 security professionals and IT executives. The headline finding is that only 3% of respondents realized that a vulnerability in a container can spread to the host, and thus to the entire IT environment, but 32% were confident in their ability to stop an attack in progress.
Perhaps not surprisingly, security professionals with 5 or more years of experience were significantly less confident in their ability to prevent various types of attacks.
Microsoft releases its own Linux distribution? Insert "Hell freezes over joke" hereLinux creator Linus Torvalds once said that "If Microsoft ever does applications for Linux it means I've won."
The fact is that despite former CEO Steve Balmer's comment that "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches," Microsoft has long embraced the open source lifestyle -- The Verge writes that the company is now the largest contributor to open source in the world -- but most people weren't ready for the announcement that Microsoft has now released its own Linux distribution, CBL-Mariner.
CBL-Mariner (the CBL stands for "Common Base Layer") is meant to be a small Linux distro, suitable for containerized and edge deployments and sporting short start times and a minimized attack surface, but includes the ability to layer on additional packages if necessary.
In actuality, we shouldn't be too surprised. Microsoft has been edging toward Linux for several years now, from the Windows Subsystem for Linux to Azure Sphere, which provides a Linux kernel for edge devices. The company even has a Linux Systems Group.
Still, the thought of a "Microsoft Linux" sounds … weird.
And in fact CBL-Mariner is actually meant for internal use in containers and Edge deployments, but it's publicly available on Github, and with a (fairly) simple tutorial released by Microsoft engineer Juan Manuel Rey, anyone with a minimum of Linux experience can finally try it out.
And while you're here…
One more thing for the week: we're currently building out new sections of our website detailing how to create your own Kubernetes lab at home, and also a guide to various cloud-native concepts, so please let us know what you think, and what topics you'd like us to cover!