Abstract
With the advent of microservice-based software architectures, an increasing number of modern cloud environments and enterprises use operating system level virtualization, which is often referred to as container infrastructures. Docker Swarm is one of the most popular container orchestration infrastructures, providing high availability and fault tolerance. Occasionally, discovered container escape vulnerabilities allow adversaries to execute code on the host operating system and operate within the cloud infrastructure. We show that Docker Swarm is currently not secured against misbehaving manager nodes. This allows a high impact, high probability privilege escalation attack, which we refer to as leadership hijacking, the possibility of which is neglected by the current cloud security literature. Cloud lateral movement and defense evasion payloads allow an adversary to leverage the Docker Swarm functionality to control each and every host in the underlying cluster. We demonstrate an end-to-end attack, in which an adversary with access to an application running on the cluster achieves full control of the cluster. To reduce the probability of a successful high impact attack, container orchestration infrastructures must reduce the trust level of participating nodes and, in particular, incorporate adversary immune leader election algorithms.
Highlights
Securing distributed collaborative multi-agent agent systems is an extremely complex task
We explore the consequences of the insecure leader election algorithm used in Docker Swarm
Byzantine fault tolerant (BFT) leader election algorithms have existed for a long time
Summary
Securing distributed collaborative multi-agent agent systems is an extremely complex task. We show how an attacker with access to a manager host inside a Docker cluster can escalate their privileges in the cluster. An attacker with access to a manager node in Docker Swarm can use this technique, which abuses the aforementioned fact that Raft is a non-Byzantine algorithm, to escalate their cluster privileges and become the cluster leader. We demonstrate two possible malicious payloads expected to be executed by a typical attacker: a lateral movement payload and a defense evasion payload The former utilizes cluster leader privileges and allows the attacker to execute code on every host in the cluster. The latter is used by an attacker in order to hide their malicious activity from infrastructure management tools.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
