APM UMA Enhancement - Just enough privileges with RBAC permissions for tracking the progress.
search cancel

APM UMA Enhancement - Just enough privileges with RBAC permissions for tracking the progress.

book

Article ID: 384712

calendar_today

Updated On:

Products

DX APM SaaS DX Application Performance Management

Issue/Introduction

Some of the permissions required for UMA are overly privileged:

 

Overly Privileged RBAC Permissions

 

A number of OpenShift Role Based Access Control (RBAC) policies were overly permissive. An attacker could leverage these permissions to gain greater access to the clusters than originally intended, for example escalating privileges to that of a cluster administrator

 

 

Service Account

Escalation Path

ServiceAccount/dxapm:uma

 

Cluster-wide create/update pods

Cluster-wide executing commands in pods

Cluster-wide create/update application workloads

Create/Update mutating webhook admission controllers

Cluster-wide reading secrets

 

 

 

Daemonsets with Permissive Service Account

 

WithSecure found multiple daemonsets with permissive service accounts running in the clusters. An attacker that had managed to gain a foothold onto any of the cluster nodes could access the pod of the daemonset on that node to use its service account to escalate their privileges and gain control of the cluster

 

Daemonset

Namespace

Escalation Path

app-container-monitor

dxapm

Can read secrets cluster-wide

 

 

Environment

  • DX APM SaaS
  • DX APM on prem 2*

Resolution

Enhancement request has been created for this code security improvement:

F152813: UMA : Just enough privileges with RBAC permissions for tracking the progress.

Additional Information

Powered by Wolken Software