do containers enhanceapplicationlevel security? · victim container •apache struts server using...
TRANSCRIPT
![Page 1: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/1.jpg)
Do Containers Enhance Application Level
Security?
Benjy Portnoy, CISA, CISSP
![Page 2: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/2.jpg)
# whoami
BlueCoat->Symantec
Director,DevSecOps@AquaSecTeam
![Page 3: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/3.jpg)
I know, I’ll use Ruby on Rails!*[email protected]
![Page 4: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/4.jpg)
> gem install rails
![Page 5: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/5.jpg)
> gem install railsFetching: i18n-0.7.0.gem (100%)Fetching: json-1.8.3.gem (100%)Building native extensions. This could take a while...ERROR: Error installing rails:ERROR: Failed to build gem native extension.
/usr/bin/ruby1.9.1 extconf.rbcreating Makefile
makesh: 1: make: not found
![Page 6: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/6.jpg)
Ah, I just need to install make
![Page 7: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/7.jpg)
> sudo apt-get install make...Success!
![Page 8: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/8.jpg)
> gem install rails
![Page 9: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/9.jpg)
> gem install railsFetching: nokogiri-1.6.7.2.gem (100%)Building native extensions. This could take a while...ERROR: Error installing rails:ERROR: Failed to build gem native extension.
/usr/bin/ruby1.9.1 extconf.rbchecking if the C compiler accepts ... yesBuilding nokogiri using packaged libraries.Using mini_portile version 2.0.0.rc2checking for gzdopen() in -lz... nozlib is missing; necessary for building libxml2*** extconf.rb failed ***
![Page 10: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/10.jpg)
Hmm. Time to visit StackOverflow.
![Page 11: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/11.jpg)
> sudo apt-get install zlib1g-dev...Success!
![Page 12: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/12.jpg)
> gem install rails
![Page 13: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/13.jpg)
> gem install railsBuilding native extensions. This could take a while...ERROR: Error installing rails:ERROR: Failed to build gem native extension.
/usr/bin/ruby1.9.1 extconf.rbchecking if the C compiler accepts ... yesBuilding nokogiri using packaged libraries.Using mini_portile version 2.0.0.rc2checking for gzdopen() in -lz... yeschecking for iconv... yes
Extracting libxml2-2.9.2.tar.gz into tmp/x86_64-pc-linux-gnu/ports/libxml2/2.9.2... OK*** extconf.rb failed ***
![Page 14: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/14.jpg)
Nokogiri, why do you never install correctly?
![Page 15: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/15.jpg)
> gem install rails...Success!
![Page 16: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/16.jpg)
> rails new my-project> cd my-project> rails start
![Page 17: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/17.jpg)
Finally It Works!
![Page 18: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/18.jpg)
![Page 19: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/19.jpg)
You use the AWS Console to deploy an EC2 instance
![Page 20: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/20.jpg)
> ssh [email protected]
__| __|_ )_| ( / Amazon Linux AMI
___|\___|___|
[ec2-user@ip-172-31-61-204 ~]$ gem install railsERROR: Error installing rails:ERROR: Failed to build gem native extension.
/usr/bin/ruby1.9.1 extconf.rb
![Page 21: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/21.jpg)
![Page 22: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/22.jpg)
Spend 2 hours trying weird & random suggestions
Replicate your dev environment in AMI
![Page 23: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/23.jpg)
![Page 24: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/24.jpg)
Now you urgently have to update all your Rails installations
![Page 25: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/25.jpg)
> bundle update rails
![Page 26: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/26.jpg)
> bundle update railsBuilding native extensions. This could take a while...ERROR: Error installing rails:ERROR: Failed to build gem native extension.
/usr/bin/ruby1.9.1 extconf.rbchecking if the C compiler accepts ... yesBuilding nokogiri using packaged libraries.Using mini_portile version 2.0.0.rc2checking for gzdopen() in -lz... yeschecking for iconv... yes
Extracting libxml2-2.9.2.tar.gz into tmp/x86_64-pc-linux-gnu/ports/libxml2/2.9.2... OK*** extconf.rb failed ***
![Page 27: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/27.jpg)
![Page 28: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/28.jpg)
WhatAreContainers
Form of application deployment.
Making a process think that it has the
complete operating system &
Dependencies for itself.
Container[kuhn-TAY-ner] , noun
Containers to the rescue?
![Page 29: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/29.jpg)
WhyShouldyoucare?
Source:Datadog usagestats
DockerHosts
![Page 30: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/30.jpg)
Runs AnywhereUp in Seconds Massive Scale
![Page 31: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/31.jpg)
Howtocreateacontainerizedapplication?
</>
.NET
![Page 32: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/32.jpg)
SECURING CONTAINERS ON THE HOST
Control Groups
Namespaces
Capabilities
CPU
![Page 33: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/33.jpg)
Lets deploy our Ruby application as a container
![Page 34: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/34.jpg)
![Page 35: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/35.jpg)
Dockerfile Example
</>
![Page 36: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/36.jpg)
August16th 2017
![Page 37: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/37.jpg)
• ExploitedApacheStrutsVulnerability• 143Millioncustomers impacted• AttackoccurredfrommidMaytoJulypriortodetection• Equifaxhackshaved$4B,orabout25%ofthecompanymarket
cap
September7th 2017
![Page 38: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/38.jpg)
1) Apache Struts framework for dynamic web content
2) Arbitrary RCE if REST communication plugin enabled
3) The weakness is caused by how Xstream deserializes
untrusted data represented as XML
CVE-2017-9805/5638inanutshell
![Page 39: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/39.jpg)
OWASP#1
Injection is #1 application attack vector
![Page 40: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/40.jpg)
DemoScenarioWithContainersVictim Container
• Apache Struts server using vulnerable struts-2.3.24
Attacker Container
• exploit CVE-2017-9805 using the victim as target
• Python based exploit
• Uploads a simple web shell as a web application to the
victim
![Page 41: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/41.jpg)
![Page 42: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/42.jpg)
Demo
![Page 43: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/43.jpg)
WhatifEquifaxwereusingcontainers?
Attack Success Criteria
1. Compromise server
2. Remain persistent
3. Access additional internal resources
4. Exfiltration of sensitive (PII) data
![Page 44: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/44.jpg)
• Container Compromised and Not Host
• Container breakout = kernel exploit
• Less persistent (Average container life 6 hours!)
• Minimal lateral network movement
• Micro Service = Reduced Attack Surface
![Page 45: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/45.jpg)
![Page 46: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/46.jpg)
FileUse
LearnandApplyLeastPrivileges
Secrets
ResourceUseUserPrivileges
ImageIntegrity
Volumes
NetworkUse
Executables
BusinessFunction
ShrinkWrappingContainer
• EachMicro-servicesshoulddoverylittle• Learnnormalbehaviorandblockanythingelse(Shell.war)• Segmentnetworkingon,andbetween containersonsamehost
![Page 47: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/47.jpg)
So...
Do Containers Enhance Security?
![Page 48: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/48.jpg)
![Page 49: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/49.jpg)
</>
.NET
Docker Image Docker Host
Read Only
![Page 50: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/50.jpg)
![Page 51: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/51.jpg)
ContainerSecurityConcerns
• DeveloperControlsFullStack
• Unauthorizedimages
• OpenSourcevulnerabilities
• EastToWestTraffic
• Privilegeescalation(Dirtyc0w?)
• Hostresourceimpact:(){ :|:& };:• SecretsManagement
Attacker
Host1 Host2
Application
Application
AuthenticatedUser
![Page 52: Do Containers EnhanceApplicationLevel Security? · Victim Container •Apache Struts server using vulnerable struts-2.3.24 Attacker Container • exploit CVE-2017-9805 using the victim](https://reader034.vdocuments.net/reader034/viewer/2022042219/5ec56daa03cdf255a46fba32/html5/thumbnails/52.jpg)
CallToAction