2023-4-17 13:1:13 Author: research.nccgroup.com(查看原文) 阅读量:10 收藏
NCC Group was selected to perform a security evaluation of Kubernetes 1.24.0 release in response to Kubernetes SIG Security’s Third-Party Security Audit Request for Proposals. The testing portion of the audit took place in May and June 2022. The global project team performed a security architectural design review that resulted in the identification of findings in terms of secure design of Kubernetes. The team also performed dynamic native application pen tests, including source code and cryptographic review which found vulnerabilities in multiple components.
Key findings included:
- Concerns with the administrative experience
- Flaws in communication between the API Server and the Kubelet which may result in an elevation of privilege
- Flaws in input sanitization which provide a limited authorization bypass (publicly disclosed under CVE-2022-3162)
The Public Report for this review may be downloaded below.
Here are some related articles you may find interesting
Public Report – Solana Program Library ZK-Token Security Assessment
In August 2022, Solana Foundation engaged NCC Group to conduct a security assessment of the ZK-Token SDK, a collection of open-source functions and types that implement the core cryptographic functionalities of the Solana Program Library (SPL) Confidential Token extension. These functionalities are homomorphic encryption and associated proofs used to demonstrate…
Stepping Insyde System Management Mode
In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. The leaked code was comprised of firmware components that originated from three sources: I obtained a copy of the leaked code and began to hunt for vulnerabilities. This writeup focuses on the vulnerabilities that I found and…
Breaking Pedersen Hashes in Practice
The Pedersen hash function has gained popularity due to its efficiency in the arithmetic circuits used in zero-knowledge proof systems. Hash functions are a crucial primitive in cryptography, and zero-knowledge proof systems often make heavy use of them, for example when computing Merkle tree roots and paths. Instead of being…
View articles by category
如有侵权请联系:admin#unsafe.sh