RT @wiz_io: 🏆 Wiz Research took 1st place in #Pwn2Own's first-ever AI category, competing against global teams targeting critical AI infras….

With this research, we hope to raise awareness within the @kubernetesio community about this often-underestimated attack surface. ☁️⚠️.

Throughout our research, we’ve seen many admission controllers running with high privileges. Their complex logic increases the chances of vulnerabilities—as we demonstrated with Ingress-NGINX. 🎯.

Pods lacking proper network isolation can communicate directly with admission controllers. This creates a potential escalation path where attackers can send AdmissionReview requests directly—something that should technically only be done by the API server. 🚨.

We started exploring admission controllers a while back, recognizing them as an often-overlooked attack surface. They’re essentially web servers—unauthenticated and exposing additional network-accessible endpoints within the cluster.

This was a huge effort from the team. With every small primitive we discovered, we got closer—until we finally landed a full unauthenticated RCE. I had a ton of fun working on this research. ☸️👇.

Personally, though I’m biased 😏, this is one of the coolest container escape vulnerabilities.

A couple of months ago, we at @wiz_io discovered a container escape vulnerability in the NVIDIA Container Toolkit, which impacts many cloud and AI SaaS providers. We're finally able to share the technical details.

For more details about this issue, check out our blog:.

Update to v1.16.2 of the NVIDIA Container Toolkit and v24.6.2 of the NVIDIA GPU Operator to secure your AI infrastructure. Environments running untrusted container images are most at risk and should update immediately.

This vulnerability significantly impacts systems that use containers with NVIDIA GPUs. Our data at @wiz_io shows that over 33% of cloud environments are vulnerable to this issue.

By leveraging the container runtime Unix socket, we can achieve full Remote Code Execution (RCE) on the host by spawning a new privileged container.

Furthermore, most container orchestration solutions (Docker, containerd, K8s) have runtime Unix sockets used to manage containers. While our host filesystem mount is read-only, Unix sockets are not restricted by this limitation.

Soon enough, we discovered a security issue in NCT. With a specially crafted container image, it's possible to mount the host's filesystem into the container when it spawns. This could potentially expose secrets and other sensitive information from the host.

While researching AI SaaS/Cloud providers, we (the research team at @wiz_io) noticed that the Nvidia Container Toolkit, aka NCT, is widely used to enable GPU access in containers… . So, we decided to take a closer look 👀

We discovered a container escape vulnerability in the @NVIDIA Container Toolkit. It allows attackers to gain full access to the host's filesystem and achieve Remote Code Execution (RCE). Here's everything you need to know about CVE-2024-0132 🧵👇

This is gold.

Our findings highlight security issues that could occur in any Kubernetes environment, recommended read for Kubernetes users and defenders. Read the full technical details here:

We disclosed all of our findings to Alibaba Cloud. Alibaba Cloud rapidly investigated and fixed the vulnerabilities we discovered. Alibaba Cloud's security team took the issues very seriously and addressed them promptly and professionally.

Contrary to AnalyticDB, in our ApsaraDB RDS research, we discovered that the K8s node hosting our ApsaraDB RDS instance also hosted the database instances of other customers. So, we had immediate access to other customers' data upon escaping the RDS container!.