KubiScan: Open Source tool to detect privileged users in Kubernetes

CyberArk Labs
1

We were accepted to BH EU Arsenal with KubiScan.
We were declined from BH EU presentation about Kuberntes RBAC.

We are going to submit new CFPs to Kubecon europe and BH Asia (arsenal and regular).
We will need to re-write our CFP and understand what could be wrong with them.

1 Like
2

That’s great about KubiScan @g0ku, a really interesting open source project! Would you mind sharing both abstract titles and summaries here for feedback?

I haven’t seen the submissions, but perhaps an abstract that ties the KubiScan OSS project more into exploiting and addressing Kubernetes RBAC vulnerabilities. It’s one thing to point to general RBAC best practices, but the research and the tools you wrote to support this set the topic apart from others!

3

Sure, I will be happy if you can look at it.

I am planning to submit a CFP to Black Hat Asia and I can do it till 28.10.

This is the CFP I submitted to BlackHat europe which was declined:
Title: A Hole in The Ship: Exploiting Kubernetes Risky RBAC permissions

Abstract:
Attackers are increasingly targeting Kubernetes clusters to compromise
applications or abuse resources.
At this session we will show how some permissions can be exploited to escalate privileges
and introduce a tool designed to discover and eliminate risky permissions.

Presentation Outline:
As Kubernetes becomes more popular it is inevitable that more clusters will come under attack by malicious actors wanting to compromise specific applications or opportunistic crooks looking to abuse resources for things like crypto-coin mining.

In this talk we are going to explore Kubernetes authentication and authorization mechanisms.
We will focus on the authorization model Role-Based Access Control (RBAC) permissions and talk about risky RBAC permissions and how we can take advantage of them and escalate our privileges (live demo).

We will continue and show how to reduce this attack surface and introduce an open source tool we created called “KubiScan” that’s designed to help blue and red teams to discover these risky permissions and find Pods with privileged service account token.