IaaS Internal Pentesting (Gray-Box)

SovereignCloudStack / issues

This repository is used for issues that are cross-repository or not bound to a specific repository.

https://github.com/orgs/SovereignCloudStack/projects/6

2 stars 1 forks source link

IaaS Internal Pentesting (Gray-Box) #410

Open 90n20 opened 9 months ago

90n20 commented 9 months ago

Assessing the security of internal resources and components hosted within a SCS testbed deployment. This will be done from a Gray-box perspective, which involves a mix of knowledge about the environment, similar to internal personnel, combined with external information that an attacker might gather. (Related to #391)

Tasks

[x] Planning and Preparation
[x] Reconnaissance & Information Gathering
[x] Enumeration & Service Discovery
[x] Vulnerability scanning and Analysis
[x] Exploitation
[x] Privilege Escalation
[x] Lateral Movement
[x] Data and Resources exposure
[x] Enumeration with Low privileged users/roles (#494)
[x] Enumeration with High privileged users/roles (#521)
[x] Pentest from an instance (#530)
[x] Documentation & Reporting

90n20 commented 7 months ago

We have finished with internal testing through wireguard/ssh tunnels, with special mention to the following ports/services on both testbed manager and nodes:

Prometheus exporters
Rabbitmq services
Bucket services
Swagger Apis
Kubelet metrics
Elasticsearch services
Alert-manager services
OpenSearch Dashboard services
Mysql services
Galera cluster services
Beanstalk services
Memcached services
Various exporters and metric services

2 security advisories have been created (only visible to authorized members) affecting the following components:

OpenStack Horizon
OpenSearch Dasboards

Going forward, manager and nodes will be tested from the point of view of an authenticated user.

90n20 commented 4 months ago

Assesment with Low and High privileged users has been performed on a standard testbed deployment, giving an overview of the security mechanisms present in manager and nodes either without and with hardening enabled. The results, which have been uploaded to SCS nexcloud instance, may be used by teams to improve the overall security of the systems.

This should be tested again, maybe following releases calendar, in order to track possible changes. Automation may be possible, however lots of manual work and checking is involved in the process.

Moving on, we are now testing the internal security of the components within a deployed instance on a test project. This will allow us to evaluate the security from the point of view of a "client" using the infrastructure (#530)

90n20 commented 3 months ago

Internal security of the components inside a deployed instance on a testbed project has been reviewed using two different machines (CirrOS and Ubuntu ones). Our evaluation showed minor problems, which guarantees the security of the infrastructure from a client's point of view.

All tasks related to this issue have been finished.

bitkeks commented 3 months ago

Ok thanks @90n20. Let's sync on this one final time and create an executive summary for the rest of the team and our partners.