Skip to content

Application vulnerability

Info

ID: MS-TA9004
Tactic: Initial Access
MITRE technique: T1190

Running a public-facing vulnerable application in a cluster can enable initial access to the cluster. A container that runs an application that is vulnerable to remote code execution vulnerability (RCE) may be exploited. If service account is mounted to the container (default behavior in Kubernetes), the attacker will be able to send requests to the API server using this service account credentials.

Mitigations

ID Mitigation Description
MS-M9005 Image Assurance Policy Ensure that only images that passed the security compliance policies are pushed to registries and deployed to Kubernetes clusters.
MS-M9007 Network Intrusion Prevention Use network intrusion prevention to block exploiting vulnerabilities.