Privilege Escalation in Windows, Linux, and K8s and 6 Ways to Prevent It

Privilege escalation is a situation where a malicious actor gains unauthorized access to resources or privileges on a computer system, network, or application

February 23, 2023

What Is Privilege Escalation? 

Privilege escalation refers to a situation where an attacker or malicious actor uses an existing account or permissions and manages to increase the level of permission to perform unauthorized actions. This can be done in a number of ways, including exploiting vulnerabilities in the system or application, using stolen credentials, or manipulating user permissions.

For example, an attacker may be able to gain access to a system with limited privileges as a regular user, but then use a privilege escalation attack to gain administrative privileges and access to more sensitive resources. This can allow the attacker to make changes to the system, access sensitive data, or install malicious software.

There are several methods that attackers can use to escalate privileges, including:

  • Exploiting vulnerabilities: This involves finding and exploiting vulnerabilities in the system or application to gain higher privileges.
  • Using stolen credentials: If an attacker can obtain the login credentials of a user with higher privileges, they can use those credentials to gain access to restricted resources.
  • Manipulating user permissions: An attacker may try to manipulate user permissions or group membership to gain access to resources that they would not normally have access to.

Preventing privilege escalation is an important aspect of cybersecurity, and organizations can take several steps to protect against it, such as regularly updating software and applications, enforcing strong password policies, and monitoring for suspicious activity.

This is part of a series of articles about supply chain security.

In this article:

Why Is It Important to Prevent Privilege Escalation? 

Preventing privilege escalation is important because it can help to protect against a wide range of attacks and prevent unauthorized access to sensitive resources. Some examples of attacks that may use privilege escalation include:

  • Ransomware attacks: Ransomware is a type of malware that encrypts a victim’s files and demands payment to decrypt them. If an attacker is able to escalate their privileges, they may be able to install ransomware on a larger scale, potentially affecting the entire network.
  • Data theft: An attacker with escalated privileges may be able to access and steal sensitive data, such as financial records or personally identifiable information.
  • System modifications: An attacker with escalated privileges may be able to make changes to the system, such as deleting files or altering configuration settings.
  • Persistent access: An attacker who is able to escalate their privileges may be able to maintain access to the system even if their initial access is discovered and blocked. This can allow them to continue to carry out attacks or gather sensitive information over a longer period of time.

Horizontal Privilege Escalation vs. Vertical Privilege Escalation 

Horizontal privilege escalation and vertical privilege escalation are two different types of privilege escalation that refer to the scope of the privileges that an attacker is able to gain.

Horizontal privilege escalation occurs when an attacker gains access to resources or privileges that are within their existing scope of access. For example, an attacker who is a regular user on a system may be able to escalate their privileges to gain access to resources or functions that are normally available to regular users, but which they are not authorized to access. This might include access to sensitive files or the ability to make changes to the system.

Vertical privilege escalation, on the other hand, occurs when an attacker is able to gain access to resources or privileges that are outside their normal scope of access. This might involve an attacker who starts out with limited privileges, such as a regular user, gaining access to administrative privileges or the ability to make changes to the system.

Linux Privilege Escalation Techniques

Enumeration

Enumeration is a technique that involves gathering information about a system in order to identify vulnerabilities or weaknesses that can be exploited to gain unauthorized access. In the context of privilege escalation on a Linux system, enumeration might involve gathering information about installed software, user accounts, and system configurations to identify potential vulnerabilities or weaknesses that can be exploited to escalate privileges.

Kernel Exploits

Kernel exploits are vulnerabilities or weaknesses in the kernel of an operating system that can be exploited to gain unauthorized access to the system or to escalate privileges. The kernel is the core of the operating system and has access to all system resources, making it a valuable target for attackers.

SUDO Right Exploitation

SUDO right exploitation involves using the SUDO (superuser do) command to execute a command with superuser privileges, even if the user does not have those privileges. SUDO is typically used to allow users to perform tasks that require elevated privileges, such as installing software or making system-wide configuration changes. However, if an attacker is able to exploit a vulnerability in SUDO or manipulate the SUDO configuration, they may be able to gain unauthorized access to superuser privileges.

Windows Privilege Escalation Techniques 

Access Token Manipulation

An access token is a data structure that is used to identify a user and determine their access rights on a Windows system. By manipulating the access token, an attacker may be able to gain access to resources or privileges that they would not normally have access to.

Bypass User Account Control

User Account Control (UAC) is a security feature in Windows that prompts the user for permission before allowing certain actions to be taken. Bypassing UAC can allow an attacker to execute a command or make changes to the system without the user’s knowledge or consent.

Privilege Escalation in Kubernetes 

Kubernetes clusters are increasingly used to deploy many kinds of workloads, including sensitive and mission critical workloads. Privilege escalation in Kubernetes is an attractive way for attackers to gain unauthorized access to these workloads. Here are two examples of privilege escalation attacks in Kubernetes clusters, discovered by the Aqua Nautilus research team.

Privilege Escalation from Node/Proxy Rights in Kubernetes RBAC

In Kubernetes, privilege escalation from node/proxy rights refers to a situation where an attacker or malicious actor is able to gain unauthorized access to resources or privileges within the Kubernetes cluster by exploiting the rights granted to a node or proxy.

In Kubernetes, nodes are the machines (either virtual or physical) that run the Kubernetes system and host the containers. Proxies are intermediary components that are used to communicate with the Kubernetes API server and manage communication between the nodes and the API server.

Nodes and proxies are typically granted certain rights within the Kubernetes cluster, such as the ability to create and manage resources and access certain API endpoints. However, if an attacker is able to gain access to a node or proxy, they may be able to use those rights to escalate their privileges and gain unauthorized access to other resources within the cluster.

Read the full research blog by the Aqua Nautilus team

Privilege Escalation with the CSR API

The CSR API is an API in Kubernetes that is used to manage certificate signing requests (CSRs). CSRs are requests for a certificate authority (CA) to sign a certificate for a specific purpose, such as authenticating a user or device. The CSR API allows users to create, view, and approve CSRs.

If an attacker is able to exploit vulnerabilities in the CSR API, they may be able to gain unauthorized access to resources or privileges within the Kubernetes cluster. For example, an attacker may be able to create a CSR that is signed by the CA, allowing them to authenticate as a user or device and gain access to restricted resources.

Read the full research blog by the Aqua Nautilus team

6 Ways to Prevent Privilege Escalation Attacks 

Keep Accounts up to Date With Comprehensive Privilege Account Management

Properly managing user accounts and privileges can help to prevent privilege escalation attacks by limiting the access that users have to sensitive resources and functions. This might include regularly reviewing and updating user accounts and privileges, enforcing strong passwords and authentication measures, and monitoring for suspicious activity.

Patch and Update Software

Regularly patching and updating software and applications can help to prevent privilege escalation attacks by addressing known vulnerabilities and closing potential entry points for attackers. This includes keeping the operating system and any associated applications up to date with the latest patches and updates.

Perform Vulnerability Scans

Regularly scanning the system for vulnerabilities can help to identify potential weaknesses that could be exploited in a privilege escalation attack. This might include using tools and techniques to scan for vulnerabilities in the operating system, applications, and network infrastructure.

Monitor Network Traffic and Behavior

Monitoring network traffic and behavior can help identify suspicious activity or anomalies that might indicate an attempted privilege escalation attack. This might include monitoring for unusual traffic patterns, suspicious connections, or other indicators of potentially malicious activity.

Institute a Strong Password Policy

Enforcing strong password policies can help prevent privilege escalation attacks by making it more difficult for attackers to guess or crack passwords. This might include requiring strong passwords, enforcing password expiration, and using two-factor authentication.

Conduct Security Awareness Training

Providing security awareness training to users can help educate them about the risks of privilege escalation attacks and how to prevent them. This might include training on the importance of strong passwords, the dangers of clicking on links or opening attachments from unknown sources, and the need to report suspicious activity.

Preventing Privilege Escalation Attacks with Aqua

To prevent privilege escalation attacks in your environment, it’s essential to regularly scan your container images for potential vulnerabilities with static scanning tools such as Aqua Trivy. It’s a comprehensive and easy-to-use open source security scanner. Unlike other tools, Trivy covers both OS packages and language-specific dependencies and is extremely easy to integrate into organizations’ software development pipelines. You can use Trivy to find vulnerabilities & IaC misconfigurations, perform SBOM discovery, cloud scanning, detect Kubernetes security risks, and more.

Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security stops cloud native attacks across the application lifecycle and is the only company with a $1M Cloud Native Protection Warranty to guarantee it. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Settings |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links