CVE-2023-2728: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin (3rd Jul 2023)

Preface: When you know there is a vulnerability on the tool. Perhaps, your security awareness level will decrease. Maybe that makes sense, if you don’t use the tool, the risk is nullified.
But sometimes it’s exceptions and coincidences. Something similar happens in the Kubernetes environment as well.

Background: Ephemeral containers differ from other containers in that they lack guarantees for resources or execution, and they will never be automatically restarted, so they are not appropriate for building applications.
Ephemeral containers are useful for interactive troubleshooting when kubectl exec is insufficient because a container has crashed or a container image doesn’t include debugging utilities.

In Kubernetes, namespaces provides a mechanism for isolating groups of resources within a single cluster.

  • IPC namespaces contain a specific kind of IPC objects known as “POSIX IPC” and “SysV IPC” – shared memory areas, message queues, and semaphores.
  • Mount (MNT) namespaces are a powerful tool for creating per-process file system trees, thus per-process root filesystem views.
    Linux maintains a data structure for all the different filesystems mounted on the system. This structure is a per-process attribute and also per-namespace.

Vulnerability details: Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified
in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes[.]io/enforce-mountable-secrets annotation are used together with ephemeral containers.

Official announcement: For details please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-2728

NVIDIA empower Artificial Intelligence competence. At the same time, vendor urge staying alert for product vulnerability (2nd Jul 2023)

Preface: The A800 has a data transfer rate of 400GB/s and the A100 is 600GB/s, and as such complies with the 600GB/s or less.

Background: What is SMM? It turned out to be SM in the Fermi era and SMX in the Kepler era. If you enlarge the SMX core of Kepler, you will see more LD/ST access units than Fermi, which also means that
the number of execution threads processed by Kepler in a single cycle is higher than that of Fermi.
Streaming Multiprocessor composed of CUDA Core, PolyMorph Engine and other units.
Simply put, it is to fine-tune the number of CUDA Cores built in the SMM unit from 192 to 128. The SMM is divided into 4 small blocks,
and each block has an independent control logic (Control Logic). In the past, these control logics needed to be responsible for a large number of CUDA Cores. Through small blocks.

Vulnerability details:
CVE‑2023‑25521: The NVIDIA DGX A100 and A800 systems contain a vulnerability in SBIOS, where improper validation of an input parameter
may lead to code execution, escalation of privileges, denial of service, information disclosure, and data tampering.
CVE-2023-25522: The NVIDIA DGX A100 and A800 systems contain a vulnerability in SBIOS, where information that is provided
in an unexpected format may cause improper validation of an input parameter, which may lead to denial of service, information disclosure, and data tampering.

Best practice: Disable all features in the UEFI and OS, that are not used. This reduces the attack surface.
Configure your system to only execute signed code and signed kernel modules, if possible.

Official announcement: For details, please refer to link – https://nvidia.custhelp.com/app/answers/detail/a_id/5461