CVE-2021-31440: Kubernetes container escape using eBPF

In a recent post by ZDI, researchers found an out-of-bounds access flaw (CVE-2021-31440) in the Linux kernel’s (5.11.15) implementation of the eBPF code verifier: an incorrect register bounds calculation occurs while checking unsigned 32-bit instructions in an eBPF program. The flaw can be leveraged to escalate privileges and execute arbitrary code in the context of the kernel.

This vulnerability allows a local privilege escalation, which means an attacker with non-root access to the system can gain higher privileges by exploiting this vulnerability. The non-root access can be a user account without sudo or group privileges, which are usually provided to the application user.

Why you should be worried

In a Kubernetes environment, containers use the host kernel to run themselves. Therefore, the execution of malicious eBPF code as an unprivileged user in the context of the kernel can result in container escape and privilege escalation to the host.

Unprivileged users inside the container need CAP_SYS_ADMIN permission already assigned to the container to run a malicious eBPF program. For Linux kernels 5.8 and above, a new permission, CAP_BPF, is added to allow users to run eBPF programs. CAP_BPF is a subset of CAP_SYS_ADMIN.

In Kubernetes, Continue reading

AMD on Why Chiplets—And Why Now

Moore’s Law is not just a simple rule of thumb about transistor counts, it’s an economic, technical, and developmental force—and one strong enough to push some of the largest chipmakers to future-proof architectural approaches. …

AMD on Why Chiplets—And Why Now was written by Nicole Hemsoth at The Next Platform.

Bringing “docker scan” to Linux

At the end of last year we launched vulnerability scanning options as part of the Docker platform. We worked together with our partner Snyk to include security testing options along multiple points of your inner loop. We incorporated scanning options into the Hub, so that you can configure your repositories to automatically scan all the pushed images. We also added a scanning command to the Docker CLI on Docker Desktop for Mac and Windows, so that you can run vulnerability scans for images on your local machine. The earlier in your development that you find these vulnerabilities, the easier and cheaper it is to fix them. Vulnerability scan results also provide remediation guidance on things that you can do to remove the reported vulnerabilities. Some of the examples of remediation include recommendations for alternative base images with lower vulnerability counts, or package upgrades that have already resolved the specified vulnerabilities.

We are now making another update in our security journey, by bringing “docker scan” to the Docker CLI on Linux. The experience of scanning on Linux is identical to what we have already launched for Desktop CLI, with scanning support for linux/amd64 (x86-64) Docker images. The Continue reading

The Hedge 87: Jordan Holand and nPrint

The network monitoring world is rife with formats for packets being measured—every tool has its own format. What would make things a lot better for network engineers is a standard data representation for packet analysis, no matter what format packets are captured in. Jordan Holland joins Russ White and Tom Ammon on this episode of the Hedge to discuss the problem and nprint, a standard packet analysis format and tools for converting from other formats.

You can find out more about nprint here.

download

CVE-2021-31440: Kubernetes container escape using eBPF

Why you should be worried

In Kubernetes, Continue reading

Exploring VMware’s Kubernetes App Connectivity and Security Solution: A Deep Dive, with Demos

Modern apps need to run in multi-cluster, multi-cloud environments across a mix of traditional and microservices architectures. In this context, enterprise platform, infrastructure, and operations teams are presented with unique challenges in securely connecting and managing modern workloads, in delivering scalable services, or bridging between traditional VM workloads and containers, and supporting production operations for modern apps.

VMware recently introduced the “VMware Modern Apps Connectivity solution”, which brings together the advanced capabilities of Tanzu Service Mesh (TSM) and VMware NSX Advanced Load Balancer ALB (formerly Avi Networks) address today’s unique enterprise challenges.

In this blog, we’ll take a deeper look at this solution and demonstrate how its cloud-native principles enable a set of important use cases that automate the process of connecting, observing, scaling, and better securing applications across multi-site environments and clouds. We’ll also show how state-of-the-art capabilities in this solution — like Global Server Load Balancing (GSLB) and Intelligent Autoscaling — enable enterprises to deliver advanced use cases such as cloud-bursting.

Step 0: Set up (typical HA architecture for a modern distributed app)

Let’s start by looking at our set-up, which is a typical architecture for a highly-available modern app deployment Continue reading

Confronting European Encroachment on Encryption

In late 2020, as Portugal prepared to take over the rotating Presidency of the Council of the European Union (EU), the Internet Society’s Portugal Chapter began ramping up its advocacy against worrying new plans to create encryption backdoors. The Council of the European Union, in a resolution in November 2020, and the European Commission (EC), in a […]

The post Confronting European Encroachment on Encryption appeared first on Internet Society.

Volume Management, Compose v2, Skipping Updates, and more in Docker Desktop 3.4

We are excited to announce the release of Docker Desktop 3.4.

This release includes several improvements to Docker Desktop, including our new Volume Management interface, the Compose v2 roll-out, and changes to how to Skip an update to Docker Desktop based on your feedback.

Volume Management

Have you wanted a way to more easily manage and explore your volumes?

In this release we’re introducing a new capability in Docker Desktop that helps you to create and delete volumes from Desktop’s Dashboard as well as to see which ones are In Use.

For developers with Pro and Team Docker subscriptions, we’ll be bringing a richer experience to managing your volumes.

You’ll be able to explore the contents of the volumes so that you can more easily get an understanding of what’s taking up space within the volume.

You’ll also be able to easily see which specific containers are using any particular volume.

We’re also looking to add additional capabilities in the future, such as being able to easily download files from the volume, read-only view for text files, and more. We’d love to hear more about what you’d like to see us prioritize and focus on in improving the Continue reading

Day Two Cloud 101: Closing The Network/Cloud Gap Before You Fall In (Sponsored)

On today's episode, sponsored by BlueCat Networks, we examine the technology and human challenges that arise when you integrate on-prem and the public cloud. You can't continue to do things in the cloud with traditional toolsets and processes. You need to update the tech and the people, including how they collaborate. We also discuss a new report that examines the need for, and challenges of, integrating networking and cloud teams. Our guest is Andrew Wertkin, Chief Strategy Officer at BlueCat.

Day Two Cloud 101: Closing The Network/Cloud Gap Before You Fall In (Sponsored)

The post Day Two Cloud 101: Closing The Network/Cloud Gap Before You Fall In (Sponsored) appeared first on Packet Pushers.

New NVMe spec brings new support for hard drives

The new NVM Express 2.0 has been released and with it a surprise: The non-volatile memory express protocol—best known for handling SSD speeds—is now offering full-blown support for traditional hard-disk drives.This is quite unexpected because SSDs are orders of magnitude faster than traditional HDDs. [ Read also: How to plan a software-defined data-center network ] The first flash-based SSDs used SATA/SAS physical interfaces borrowed from existing hard drive-based enterprise server/ storage systems. However, none of these interfaces and protocols were designed for high-speed storage media and the SATA/SAS bus became a bottleneck for the much faster SSD.To read this article in full, please click here

New NVMe spec brings new support for hard drives

Smart Security Strategies for the World of Social Media

As a way to avoid risks, social media security is vital for every business or enterprise in blocking targeted attacks, securing corporate accounts from compromise, fighting scams, and frauds.

Celebrating 7 Years of Project Galileo

Every June, we celebrate the anniversary of Project Galileo. This year, we are proud to celebrate seven years of protecting the most vulnerable groups on the Internet from cyber attacks. June is a busy month for us at Cloudflare, with the anniversary of Project Galileo and Access Now’s RightsCon, one of the largest events on human rights in the digital age. As we collaborate with civil society on topics from technology, privacy, digital security and public policy, we learn how to better protect critical voices on the Internet but also how to use the Cloudflare network to make positive changes to the Internet ecosystem.

We started Project Galileo in 2014 with the idea that we need to protect voices that are targeted for working in sensitive areas. As such, we give these voices the resources to protect themselves online against powerful opponents. Whether their opponent’s aim is to intimidate, silence, or steal sensitive information, cyber attacks can cause significant damage to organizations that work in areas such as human rights, independent media, education, and social justice. As the world moves online — a factor accelerated by COVID-19 — access to powerful cybersecurity tools is critical for organizations around the world. Continue reading

Real-Life Network-as-a-Graph Examples

After reading the Everything Is a Graph blog post, Vadim Semenov sent me a long list of real-life examples (slightly edited):

I work in a big enterprise and in order to understand a real packet path across multiple offices via routers and firewalls (when mtr or traceroute don’t work – they do not show firewalls), I made OSPF network visualization based on LSDB output. The idea is quite simple – save information about LSA1 and LSA2 (LSA5 optionally) and that will be enough in order to build a graph (use show ip ospf database router/network on Cisco devices).

Real-Life Network-as-a-Graph Examples

After reading the Everything Is a Graph blog post, Vadim Semenov sent me a long list of real-life examples (slightly edited):

Why the cloud will never eat the data center

Sometimes it’s hard to see gradual changes in technology paradigms because they’re gradual. Sometimes it helps to play “Just suppose…” and see where it leads. So, just suppose that the cloud did what some radical thinkers say, and “absorbed the network”. That’s sure an exciting tag line, but is this even possible, and how might it come about?Companies are already committed to a virtual form of networking for their WAN services, based on VPNs or SD-WAN, rather than building their own WANs from pipes and routers. That was a big step, so what could be happening to make WANs even more virtual, to the point where the cloud could subsume them? It would have to be a data-center change.To read this article in full, please click here

Why the cloud will never eat the data center

Technology Advancements that Led to the Success of NASA’s Mars Rover Landing

Space exploration is one of the most unique and innovative things in the world. With each passing mission NASA employs new and advanced technology in their space missions. Space missions aren’t always a success however with latest technology, NASA has been enjoying some great success.

Ingenuity Mars Helicopter

Mars has a very thin atmosphere so it was necessary for NASA to come up with a powerful object that could fly around the planet and take photographs. This ingenuity Mars helicopter can easily fly around the red planet so that the astronauts can take pictures even far away from their landing base.

MOXIE

MOXIE is one of the most important technologies that is going to revolutionize the space program. MOXIE is a technology that is going to convert the carbon dioxide in Mars atmosphere to oxygen. This will be a great way to have unlimited amount of oxygen once NASA plans to start a base on Mars.

In addition to the above two technologies, NASA also uses new technologies for entry in to the atmosphere. descent and then landing.

Range Trigger

Good landing is very important when you are trying to land on another planet. You need to hit all the Continue reading

« Previous 1 … 662 663 664 665 666 … 3,787 Next »