[Security Issue] Warning the insecure usages of eBPF

28 views

Skip to first unread message

fripSide

unread,

Jun 5, 2023, 11:51:07 PM6/5/23

to kubernetes-security-discuss

Hello,

I'm writing this thread to uncover the hazards of eBPF misuse to the Docker and Kuberentes community.

Some eBPF helpers [1] have long been known to be dangerous and can be used for evil purposes in Linux hosts. We find that these features can also be exploited to harm the containers by perform various attacks to the processes outside the container in the enrtire VM, such as process DoS, information theft, and container escape.

When a container is granted to run eBPF tracing programs (which need CAP_SYS_ADMIN), it can use the eBPF KProbe programs to hijack the process outside the contianer and to escape the containers. This kind of risks is limited as privieleged containers are warned and can hardly be accessed by the attackers.

However, even without CAP_SYS_ADMIN, since Linux 5.6, programs with with CAP_BPF + CAP_PERFMON can use eBPF tracing features to read memory of all processes in VM. This is possible as dangerous eBPF helpers such as bpf_read_user

do not requrie extra permissions. Attackers can use this feature to steal sensitive data (e.g., sshd/nginx private key) in other containers. To make matters worse, we find that nearly 3% of containers in Dockerhub may mistakenly enable eBPF features

and bring a high risk of eBPF misuse.

The risks of eBPF misuse is extremly dangerous for Kuberentes as attackers can access files of other Pods in the same VM. They can abuse the service accounts of other Pods to propose cross node attacks. Currently, we notice many Pods with

powerful service accounts (with Pod update permissions) may be deployed on all nodes as DaemonSet Pod, which can be easily exploited by the eBPF advarsearies on the same nodes. By abusing these Pods' service account, they can easily perform cross node attacks by deploy malicious Pods or execute command on other nodes.

To minimize the risks, we hope you can consider this threat and warn Kuberentes users in the security advisory.

[1] https://embracethered.com/blog/posts/2021/offensive-bpf/

[2] https://raesene.github.io/blog/2017/04/02/Kubernetes-Service-Tokens/

Reply all

Reply to author

Forward

0 new messages