Hello, welcome to the Tuesday, December 11th, 2018 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Last week I talked about the privilege escalation vulnerability in the Kubernetes API server.

And if you remember, as the vulnerability was announced

and the patch was released, there was already a proof-of-concept exploit that was made public

for an authenticated version of this vulnerability. Well, it turns out we now also have an

unauthenticated version of the exploit, so this

exploit can be executed with an anonymous connection to the exposed API.

So as long as any of your APIs are exposed, this unauthenticated proof of concept exploit

will work and it can gain cluster admin rights.

So if you haven't done so yet, definitely make sure that you are patching this vulnerability

and also review who has access to these APIs and how they can be accessed. Now, if you have been coding web applications and have done so, for example, impart in JavaScript

on the client and maybe even JavaScript or other high-level languages on the server,

then people probably told you that things like format, string vulnerabilities, and buffer

overflows aren't really all that much for you to worry about, because after all, these

languages manage memory for you, and unless these languages have a flaw, which of course

sometimes happens, yes, you're safe from buffer overflows. Well, this is actually changing.

And the reason for that is a web assembly. John Bergbaum from Forcepoint came up with a real nice

article illustrating how some of these old vulnerabilities can affect web assembly by coding or allowing the developer

here again to code in C in other low-level languages and then have that code executed in the

browser.

...