Privilege Escalation in Windows, Linux, and K8s and 6 Ways to Prevent It
Privilege escalation is a situation where a malicious actor gains unauthorized access to resources or privileges on a computer system, network, or application
What Is Privilege Escalation?
Privilege escalation refers to a situation where an attacker or malicious actor uses an existing account or permissions and manages to increase the level of permission to perform unauthorized actions. This can be done in a number of ways, including exploiting vulnerabilities in the system or application, using stolen credentials, or manipulating user permissions.
For example, an attacker may be able to gain access to a system with limited privileges as a regular user, but then use a privilege escalation attack to gain administrative privileges and access to more sensitive resources. This can allow the attacker to make changes to the system, access sensitive data, or install malicious software.
There are several methods that attackers can use to escalate privileges, including:
- Exploiting vulnerabilities: This involves finding and exploiting vulnerabilities in the system or application to gain higher privileges.
- Using stolen credentials: If an attacker can obtain the login credentials of a user with higher privileges, they can use those credentials to gain access to restricted resources.
- Manipulating user permissions: An attacker may try to manipulate user permissions or group membership to gain access to resources that they would not normally have access to.
Preventing privilege escalation is an important aspect of cybersecurity, and organizations can take several steps to protect against it, such as regularly updating software and applications, enforcing strong password policies, and monitoring for suspicious activity.
This is part of a series of articles about supply chain security.
In this article:
- Why Is It Important to Prevent Privilege Escalation?
- Horizontal Privilege Escalation vs. Vertical Privilege Escalation
- Linux Privilege Escalation Techniques
- Enumeration
- Kernel Exploits
- SUDO Right Exploitation
- Windows Privilege Escalation Techniques
- Access Token Manipulation
- Bypass User Account Control
- Privilege Escalation in Kubernetes
- Privilege Escalation from Node/Proxy Rights in Kubernetes RBAC
- Privilege Escalation with the CSR API
- 6 Ways to Prevent Privilege Escalation Attacks
- Keep Accounts up to Date With Comprehensive Privilege Account Management
- Patch and Update Software
- Perform Vulnerability Scans
- Monitor Network Traffic and Behavior
- Institute a Strong Password Policy
- Conduct Security Awareness Training
Why Is It Important to Prevent Privilege Escalation?
Preventing privilege escalation is important because it can help to protect against a wide range of attacks and prevent unauthorized access to sensitive resources. Some examples of attacks that may use privilege escalation include:
- Ransomware attacks: Ransomware is a type of malware that encrypts a victim’s files and demands payment to decrypt them. If an attacker is able to escalate their privileges, they may be able to install ransomware on a larger scale, potentially affecting the entire network.
- Data theft: An attacker with escalated privileges may be able to access and steal sensitive data, such as financial records or personally identifiable information.
- System modifications: An attacker with escalated privileges may be able to make changes to the system, such as deleting files or altering configuration settings.
- Persistent access: An attacker who is able to escalate their privileges may be able to maintain access to the system even if their initial access is discovered and blocked. This can allow them to continue to carry out attacks or gather sensitive information over a longer period of time.
Horizontal Privilege Escalation vs. Vertical Privilege Escalation
Horizontal privilege escalation and vertical privilege escalation are two different types of privilege escalation that refer to the scope of the privileges that an attacker is able to gain.
Horizontal privilege escalation occurs when an attacker gains access to resources or privileges that are within their existing scope of access. For example, an attacker who is a regular user on a system may be able to escalate their privileges to gain access to resources or functions that are normally available to regular users, but which they are not authorized to access. This might include access to sensitive files or the ability to make changes to the system.
Vertical privilege escalation, on the other hand, occurs when an attacker is able to gain access to resources or privileges that are outside their normal scope of access. This might involve an attacker who starts out with limited privileges, such as a regular user, gaining access to administrative privileges or the ability to make changes to the system.
Linux Privilege Escalation Techniques
Enumeration
Enumeration is a technique that involves gathering information about a system in order to identify vulnerabilities or weaknesses that can be exploited to gain unauthorized access. In the context of privilege escalation on a Linux system, enumeration might involve gathering information about installed software, user accounts, and system configurations to identify potential vulnerabilities or weaknesses that can be exploited to escalate privileges.
Kernel Exploits
Kernel exploits are vulnerabilities or weaknesses in the kernel of an operating system that can be exploited to gain unauthorized access to the system or to escalate privileges. The kernel is the core of the operating system and has access to all system resources, making it a valuable target for attackers.
SUDO Right Exploitation
SUDO right exploitation involves using the SUDO (superuser do) command to execute a command with superuser privileges, even if the user does not have those privileges. SUDO is typically used to allow users to perform tasks that require elevated privileges, such as installing software or making system-wide configuration changes. However, if an attacker is able to exploit a vulnerability in SUDO or manipulate the SUDO configuration, they may be able to gain unauthorized access to superuser privileges.
Windows Privilege Escalation Techniques
Access Token Manipulation
An access token is a data structure that is used to identify a user and determine their access rights on a Windows system. By manipulating the access token, an attacker may be able to gain access to resources or privileges that they would not normally have access to.
Bypass User Account Control
User Account Control (UAC) is a security feature in Windows that prompts the user for permission before allowing certain actions to be taken. Bypassing UAC can allow an attacker to execute a command or make changes to the system without the user’s knowledge or consent.
Privilege Escalation in Kubernetes
Kubernetes clusters are increasingly used to deploy many kinds of workloads, including sensitive and mission critical workloads. Privilege escalation in Kubernetes is an attractive way for attackers to gain unauthorized access to these workloads. Here are two examples of privilege escalation attacks in Kubernetes clusters, discovered by the Aqua Nautilus research team.
Privilege Escalation from Node/Proxy Rights in Kubernetes RBAC
In Kubernetes, privilege escalation from node/proxy rights refers to a situation where an attacker or malicious actor is able to gain unauthorized access to resources or privileges within the Kubernetes cluster by exploiting the rights granted to a node or proxy.
In Kubernetes, nodes are the machines (either virtual or physical) that run the Kubernetes system and host the containers. Proxies are intermediary components that are used to communicate with the Kubernetes API server and manage communication between the nodes and the API server.
Nodes and proxies are typically granted certain rights within the Kubernetes cluster, such as the ability to create and manage resources and access certain API endpoints. However, if an attacker is able to gain access to a node or proxy, they may be able to use those rights to escalate their privileges and gain unauthorized access to other resources within the cluster.
Privilege Escalation with the CSR API
The CSR API is an API in Kubernetes that is used to manage certificate signing requests (CSRs). CSRs are requests for a certificate authority (CA) to sign a certificate for a specific purpose, such as authenticating a user or device. The CSR API allows users to create, view, and approve CSRs.
If an attacker is able to exploit vulnerabilities in the CSR API, they may be able to gain unauthorized access to resources or privileges within the Kubernetes cluster. For example, an attacker may be able to create a CSR that is signed by the CA, allowing them to authenticate as a user or device and gain access to restricted resources.
6 Ways to Prevent Privilege Escalation Attacks
Keep Accounts up to Date With Comprehensive Privilege Account Management
Properly managing user accounts and privileges can help to prevent privilege escalation attacks by limiting the access that users have to sensitive resources and functions. This might include regularly reviewing and updating user accounts and privileges, enforcing strong passwords and authentication measures, and monitoring for suspicious activity.
Patch and Update Software
Regularly patching and updating software and applications can help to prevent privilege escalation attacks by addressing known vulnerabilities and closing potential entry points for attackers. This includes keeping the operating system and any associated applications up to date with the latest patches and updates.
Perform Vulnerability Scans
Regularly scanning the system for vulnerabilities can help to identify potential weaknesses that could be exploited in a privilege escalation attack. This might include using tools and techniques to scan for vulnerabilities in the operating system, applications, and network infrastructure.
Monitor Network Traffic and Behavior
Monitoring network traffic and behavior can help identify suspicious activity or anomalies that might indicate an attempted privilege escalation attack. This might include monitoring for unusual traffic patterns, suspicious connections, or other indicators of potentially malicious activity.
Institute a Strong Password Policy
Enforcing strong password policies can help prevent privilege escalation attacks by making it more difficult for attackers to guess or crack passwords. This might include requiring strong passwords, enforcing password expiration, and using two-factor authentication.
Conduct Security Awareness Training
Providing security awareness training to users can help educate them about the risks of privilege escalation attacks and how to prevent them. This might include training on the importance of strong passwords, the dangers of clicking on links or opening attachments from unknown sources, and the need to report suspicious activity.
Preventing Privilege Escalation Attacks with Aqua
To prevent privilege escalation attacks in your environment, it’s essential to regularly scan your container images for potential vulnerabilities with static scanning tools such as Aqua Trivy. It’s a comprehensive and easy-to-use open source security scanner. Unlike other tools, Trivy covers both OS packages and language-specific dependencies and is extremely easy to integrate into organizations’ software development pipelines. You can use Trivy to find vulnerabilities & IaC misconfigurations, perform SBOM discovery, cloud scanning, detect Kubernetes security risks, and more.
- What Is Privilege Escalation?
- Why Is It Important to Prevent Privilege Escalation?
- Horizontal Privilege Escalation vs. Vertical Privilege Escalation
- Linux Privilege Escalation Techniques
- Enumeration
- Kernel Exploits
- SUDO Right Exploitation
- Windows Privilege Escalation Techniques
- Access Token Manipulation
- Bypass User Account Control
- Privilege Escalation in Kubernetes
- Privilege Escalation from Node/Proxy Rights in Kubernetes RBAC
- Privilege Escalation with the CSR API
- 6 Ways to Prevent Privilege Escalation Attacks
- Keep Accounts up to Date With Comprehensive Privilege Account Management
- Patch and Update Software
- Perform Vulnerability Scans
- Monitor Network Traffic and Behavior
- Institute a Strong Password Policy
- Conduct Security Awareness Training
- Preventing Privilege Escalation Attacks with Aqua