> For the complete documentation index, see [llms.txt](https://meetups.kubiosec.tech/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://meetups.kubiosec.tech/meetup-notes/25-05-2023-cloud-native-computing-meetup-switzerland.md). # 25-05-2023 Cloud Native Computing Meetup Switzerland ## Presentation {% file src="/files/JUwyr4r5DexrUxrS7oKR" %} ## Fortinet specific links * * * * * ## Links * [https://medium.com/@chenshiri/taking-over-google-cloud-shell-by-utilizing-capabilities-and-kubelet-fd5e2417f286]() * [https://www.form3.tech/engineering/content/exploiting-distroless-images]() * * * * * * * ## Exploiting probes and life cycle mgmt * * ## Tekton examples * ## Trivy examples ``` $ trivy image ubuntu:latest 2023-03-22T10:41:57.265Z INFO Vulnerability scanning is enabled 2023-03-22T10:41:57.266Z INFO Secret scanning is enabled 2023-03-22T10:41:57.266Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning 2023-03-22T10:41:57.266Z INFO Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection 2023-03-22T10:41:58.233Z INFO Detected OS: ubuntu 2023-03-22T10:41:58.233Z INFO Detecting Ubuntu vulnerabilities... 2023-03-22T10:41:58.236Z INFO Number of language-specific files: 0 ubuntu:latest (ubuntu 22.04) Total: 12 (UNKNOWN: 0, LOW: 12, MEDIUM: 0, HIGH: 0, CRITICAL: 0) ┌──────────────┬────────────────┬──────────┬──────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────┼────────────────┼──────────┼──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ bash │ CVE-2022-3715 │ LOW │ 5.1-6ubuntu1 │ │ bash: a heap-buffer-overflow in valid_parameter_transform │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3715 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ coreutils │ CVE-2016-2781 │ │ 8.32-4.1ubuntu1 │ │ coreutils: Non-privileged session can escape to the parent │ │ │ │ │ │ │ session in chroot │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ gpgv │ CVE-2022-3219 │ │ 2.2.27-3ubuntu2.1 │ │ gnupg: denial of service issue (resource consumption) using │ │ │ │ │ │ │ compressed packets │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3219 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libc-bin │ CVE-2016-20013 │ │ 2.35-0ubuntu3.1 │ │ sha256crypt and sha512crypt through 0.6 allow attackers to │ │ │ │ │ │ │ cause a denial of... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-20013 │ ├──────────────┤ │ │ ├───────────────┤ │ │ libc6 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libncurses6 │ CVE-2022-29458 │ │ 6.3-2 │ │ ncurses: segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├──────────────┤ │ │ ├───────────────┤ │ │ libncursesw6 │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libpcre3 │ CVE-2017-11164 │ │ 2:8.39-13ubuntu0.22.04.1 │ │ pcre: OP_KETRMAX feature in the match function in │ │ │ │ │ │ │ pcre_exec.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-11164 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libssl3 │ CVE-2022-3996 │ │ 3.0.2-0ubuntu1.8 │ │ openssl: double locking leads to denial of service │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3996 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libtinfo6 │ CVE-2022-29458 │ │ 6.3-2 │ │ ncurses: segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├──────────────┤ │ │ ├───────────────┤ │ │ ncurses-base │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────┤ │ │ ├───────────────┤ │ │ ncurses-bin │ │ │ │ │ │ │ │ │ │ │ │ │ └──────────────┴────────────────┴──────────┴──────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ ``` ``` $ trivy image xxradar/ubuntu_infected:101 2023-03-22T10:35:38.998Z INFO Need to update DB 2023-03-22T10:35:38.999Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db 2023-03-22T10:35:38.999Z INFO Downloading DB... 36.14 MiB / 36.14 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 3.91 MiB p/s 9.5s 2023-03-22T10:35:51.163Z INFO Vulnerability scanning is enabled 2023-03-22T10:35:51.170Z INFO Secret scanning is enabled 2023-03-22T10:35:51.171Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning 2023-03-22T10:35:51.173Z INFO Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection 2023-03-22T10:35:52.602Z INFO Detected OS: ubuntu 2023-03-22T10:35:52.603Z INFO Detecting Ubuntu vulnerabilities... 2023-03-22T10:35:52.618Z INFO Number of language-specific files: 0 xxradar/ubuntu_infected:101 (ubuntu 22.04) Total: 12 (UNKNOWN: 0, LOW: 12, MEDIUM: 0, HIGH: 0, CRITICAL: 0) ┌──────────────┬────────────────┬──────────┬──────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├──────────────┼────────────────┼──────────┼──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ bash │ CVE-2022-3715 │ LOW │ 5.1-6ubuntu1 │ │ bash: a heap-buffer-overflow in valid_parameter_transform │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3715 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ coreutils │ CVE-2016-2781 │ │ 8.32-4.1ubuntu1 │ │ coreutils: Non-privileged session can escape to the parent │ │ │ │ │ │ │ session in chroot │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ gpgv │ CVE-2022-3219 │ │ 2.2.27-3ubuntu2.1 │ │ gnupg: denial of service issue (resource consumption) using │ │ │ │ │ │ │ compressed packets │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3219 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libc-bin │ CVE-2016-20013 │ │ 2.35-0ubuntu3.1 │ │ sha256crypt and sha512crypt through 0.6 allow attackers to │ │ │ │ │ │ │ cause a denial of... │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-20013 │ ├──────────────┤ │ │ ├───────────────┤ │ │ libc6 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libncurses6 │ CVE-2022-29458 │ │ 6.3-2 │ │ ncurses: segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├──────────────┤ │ │ ├───────────────┤ │ │ libncursesw6 │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libpcre3 │ CVE-2017-11164 │ │ 2:8.39-13ubuntu0.22.04.1 │ │ pcre: OP_KETRMAX feature in the match function in │ │ │ │ │ │ │ pcre_exec.c │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-11164 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libssl3 │ CVE-2022-3996 │ │ 3.0.2-0ubuntu1.8 │ │ openssl: double locking leads to denial of service │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-3996 │ ├──────────────┼────────────────┤ ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤ │ libtinfo6 │ CVE-2022-29458 │ │ 6.3-2 │ │ ncurses: segfaulting OOB read │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │ ├──────────────┤ │ │ ├───────────────┤ │ │ ncurses-base │ │ │ │ │ │ │ │ │ │ │ │ │ ├──────────────┤ │ │ ├───────────────┤ │ │ ncurses-bin │ │ │ │ │ │ │ │ │ │ │ │ │ └──────────────┴────────────────┴──────────┴──────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ ``` ``` $ trivy image node:latest | grep -i TOTAL 2023-03-22T10:39:20.994Z INFO Vulnerability scanning is enabled 2023-03-22T10:39:20.994Z INFO Secret scanning is enabled 2023-03-22T10:39:20.995Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning 2023-03-22T10:39:20.995Z INFO Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection 2023-03-22T10:39:21.970Z INFO Detected OS: debian 2023-03-22T10:39:21.970Z INFO Detecting Debian vulnerabilities... 2023-03-22T10:39:22.175Z INFO Number of language-specific files: 1 2023-03-22T10:39:22.175Z INFO Detecting node-pkg vulnerabilities... Total: 1019 (UNKNOWN: 1, LOW: 606, MEDIUM: 199, HIGH: 199, CRITICAL: 14) ``` ## Malware scan using YaraHunter ``` $ docker run -it --rm --name=deepfence-yarahunter \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /tmp:/home/deepfence/output \ deepfenceio/yara-hunter:latest \ --image-name xxradar/ubuntu_infected:101 \ --json-filename=xmrig-scan.json copied size 384 copied size 1032336 server inside23 port {0xc000451a28 0xc00040d3c0 0xc0004518c8 0xc00040d3d0 0xc00040d3e0 0xc00040d3f0 0xc00040d400 0xc00040d410 0xc00040d420 0xc00040d430 0xc0004518d8 0xc00040d440 0xc00040d450 0xc00040d460 0xc00040d470 0xc00040d480 0xc00040d3b0 0xc0004518b8} INFO[2023-03-25 09:42:54] trying to connect to endpoint 'unix:///var/run/docker.sock' with timeout '10s' INFO[2023-03-25 09:42:54] connected successfully using endpoint: unix:///var/run/docker.sock INFO[2023-03-25 09:42:54] trying to connect to endpoint 'unix:///run/containerd/containerd.sock' with timeout '10s' WARN[2023-03-25 09:43:04] could not connect to endpoint 'unix:///run/containerd/containerd.sock': context deadline exceeded INFO[2023-03-25 09:43:04] trying to connect to endpoint 'unix:///run/k3s/containerd/containerd.sock' with timeout '10s' WARN[2023-03-25 09:43:14] could not connect to endpoint 'unix:///run/k3s/containerd/containerd.sock': context deadline exceeded INFO[2023-03-25 09:43:14] container runtime detected: docker { "Timestamp": "2023-03-25 09:43:21.724037583 +00:00", "Image Name": "xxradar/ubuntu_infected:101", "Image ID": "0f68bbdbb726cf17f17220e61a09ccf88ff0edfafbc97043378b6a2739352b56", "Malware match detected are": [ { "Image Layer ID": "5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d", "Matched Rule Name": "spyeye_plugins", "Strings to match are": [ "config.dat" ], "Category": ["banker"], "File Name": "/tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/etc/debconf.conf", "author":"Jean-Philippe Teissier / @Jipe_ ", "description":"SpyEye X.Y Plugins memory ", "date":"2012-05-23 ", "version":"1.0 ", "filetype":"memory ", "Summary": "The file /tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/etc/debconf.conf has a banker match.The matched rule file's author is Jean-Philippe Teissier / @Jipe_ .The file has a rule match that SpyEye X.Y Plugins memory .The matched rule file's date is 2012-05-23 .The matched rule file's version is 1.0 .The matched rule file's filetype is memory ." } , { "Image Layer ID": "5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d", "Matched Rule Name": "spyeye_plugins", "Strings to match are": [ "config.dat" ], "Category": ["banker"], "File Name": "/tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/usr/share/debconf/debconf.conf", "author":"Jean-Philippe Teissier / @Jipe_ ", "description":"SpyEye X.Y Plugins memory ", "date":"2012-05-23 ", "version":"1.0 ", "filetype":"memory ", "Summary": "The file /tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/usr/share/debconf/debconf.conf has a banker match.The matched rule file's author is Jean-Philippe Teissier / @Jipe_ .The file has a rule match that SpyEye X.Y Plugins memory .The matched rule file's date is 2012-05-23 .The matched rule file's version is 1.0 .The matched rule file's filetype is memory ." } , { "Image Layer ID": "5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d", "Matched Rule Name": "spyeye", "Strings to match are": [ "data_end" ], "Category": ["banker"], "File Name": "/tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/var/lib/dpkg/info/libc6:amd64.symbols", "author":"Jean-Philippe Teissier / @Jipe_ ", "description":"SpyEye X.Y memory ", "date":"2012-05-23 ", "version":"1.0 ", "filetype":"memory ", "Summary": "The file /tmp/Deepfence/YaRadare/df_xxradarubuntuinfected101/ExtractedFiles/5252eaf485b87efa424faa758810c93fa0e7f9444b4b3d368334fe6420df311d/var/lib/dpkg/info/libc6:amd64.symbols has a banker match.The matched rule file's author is Jean-Philippe Teissier / @Jipe_ .The file has a rule match that SpyEye X.Y memory .The matched rule file's date is 2012-05-23 .The matched rule file's version is 1.0 .The matched rule file's filetype is memory ." } ] } ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://meetups.kubiosec.tech/meetup-notes/25-05-2023-cloud-native-computing-meetup-switzerland.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.