New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Researcher Discovers Kubernetes Denial of Service Vulnerability

CVE-2021-20291 was discovered earlier this month by Aviv Sasson. This effort was part of a security audit surveying multiple Go libraries that Kubernetes relies on to function. This vulnerability lies with the container/storage library leading to a Denial of Service (DoS) of engines CRI-O and Podman. Threat actors may compromise any containerized infrastructure relying on these engines. Listed below are the functions affected by this issue.

Fails to pull new imagesFails to pull new images
Fails to start any new containersFails to retrieve running pods
Fails to retrieve local image listFails to start new containers
Fails to kill containersFails to exec into containers
 Fails to retrieve existing images
 Fails to kill existing containers

Analyst Notes

Thanks to the pro-active efforts of Aviv Sasson, these vulnerabilities were discovered and responsibly disclosed so they could be addressed. While Kubernetes is an industry standard and in wide use, there are still issues to be ironed out, as with any software deployed in an enterprise. Having a dedicated team supplementing and working alongside System Administrators and technicians eases the responsibilities of those critical roles. A Threat Hunting team such as the team here at Binary Defense is actively looking for vulnerabilities such as these. With strong detection and mitigation efforts, issues may be resolved quickly and with care allowing infrastructure to serve users as intended.