operator
ChainsTTPsBlogLogin
menu
Prelude chain browser

Is my Kubernetes pod protected against host mounting?

In privileged mode, Kubernetes pods can mount the host filesystem and may be subject to container escape. This chain attempts to mount the host filesystem to test whether the host is vulnerable to a container escape. It is critical that pods are not able to mount the host filesystem, as attackers may create persistence by altering mounted files, elevating privileges, and escaping the container.

2022-11-29

/static/assets/linux-logo.svg
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.info
Authors:gerbsec
This week, we are taking a quick break from container exploits and releasing another CVE TTP:
  • Is my Kubernetes pod protected against host mounting?

Is my Kubernetes pod protected against host mounting?

Kubernetes is a self-described portable, extensible, open source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation.

A Kubernetes pod, the smallest deployable unit of computing, is a group of one or more containers, such as Docker containers. When a pod runs multiple containers, the containers are managed as a single entity and share the pod's resources, such as storage and network services.

A container escape may allow an attacker to enter other containers in that pod. In the case of host mounting, where the Kubernetes host filesystem is mountable within a pod, an attacker may escape the container and access the host system.

Testing

Execute Operator’s Is my Kubernetes pod protected against host mounting? TTP on each Kubernetes pod in your environment to test if you are vulnerable.

This chain is configured to test if host filesystem mounting is possible in the pod by attempting to mount it to a /host/ directory. If the host filesystem can be mounted, the TTP reads /etc/passwd from the host and returns the output to Operator.

Remediation

To protect yourself, it is recommended to not run your pods with privileged mode on.

Check out the TTP Is my Kubernetes pod protected against host mounting? on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Is my Kubernetes pod protected against host mounting?

Tactics

Other chains in this theme
Is my Docker daemon vulnerable to privilege escalation?

2022-11-15

/static/assets/linux-logo.svg
Privilege escalation through exposed Docker daemon.
Is my Docker container vulnerable to cgroup controller escapes?

2022-11-08

/static/assets/linux-logo.svg
Escape Docker container via cgroup controller.
Is my Docker container vulnerable to host filesystem mounting?

2022-11-01

/static/assets/linux-logo.svg/static/assets/apple-logo.svg
Escape Docker container by mounting host filesystem.
Is my Docker container vulnerable to a Docker socket escape?

2022-10-25

/static/assets/linux-logo.svg
Escape a Docker container that has the Docker socket mounted.
About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.
twitterFollow @preludeorg on Twitter for new chains and more.
discordJoin the Prelude Discord to discuss chains and more.
githubKeep up to date with code changes and community activity on Github
operator
preludesecurity.comCareersTactics & TechniquesAttack themes
Privacy Policysupport@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.