Rory McCune

@[email protected]
1,038 Followers
342 Following
799 Posts
Containers, Security, Kubernetes, Hillwalking
Personal Sitehttps://www.mccune.org.uk/
Bloghttps://raesene.github.io/
Container Security Sitehttps://www.container-security.site
GitHubhttps://github.com/raesene/
Rory McCune4d ago
https://bumsrake.de/ - This is an amusing way to do vuln. disclosure
BUMSRAKETE™ — The Most Beautiful, Most Tremendous FreeBSD Vulnerability In The History Of Computing. BELIEVE ME.

BUMSRAKETE is a HUGE, TREMENDOUS, MANY-PEOPLE-ARE-SAYING FreeBSD kTLS-RX page-cache write primitive. The BEST primitive. Some say the best ever.

Rory McCune4d ago
Chris Short4d ago
Monitor LLM routing with the Kubernetes Inference Extension | Datadog #devopsish https://www.datadoghq.com/blog/llm-routing-kubernetes-inference-extension/
Rory McCune6d ago
@shodan any plans to allow searching by the Subject Alternative Name field in X.509 certificates? On certain systems (e.g. Kubernetes) there's quite a lot of internal information leakage via that field, and it'd be interesting to be able to run an analysis on it.
Rory McCuneJun 3
Show threadmudgeJun 3
“Bundler 4.0.13 introduces cooldown, a time-based filter that refuses to resolve to a version until it has been public for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window.” — https://blog.rubygems.org/2026/06/03/cooldown-let-new-gems-be-vetted.html
Cool down before you install: give new gems a few days to be vetted

Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. ...

RubyGems Blog
Rory McCuneJun 3

It's always been known that containers don't fully contain, but the ease with which attackers can execute container breakout attacks now, using LLM backed tooling, should prompt people to re-evaluate where they can rely on container isolation.

Some more thoughts and a concrete example here https://raesene.github.io/blog/2026/06/03/do-containers-still-contain/

Do containers still contain?

Rory McCuneJun 1

If you're seeing some new "old" vulnerabilities show up in vulnerability scans of Kubernetes clusters, it's based on some work done by the project to correct some CVE records for issues that have no patch available.

There's a blog on the topic https://kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves/ which explains why and provides some of the historical context.

If you're interested in the technical details of these vulnerabilities and some ideas on whether they're relevant for your clusters, and what to do if they are, there's a series of technical deep-dives here https://securitylabs.datadoghq.com/articles/?s=unpatchable

Reconciling the Past: Correcting Records for Unfixed Kubernetes CVEs

The Kubernetes project relies on transparency to empower cluster administrators and security researchers. One important way we do that is by publishing CVE records into the Common Vulnerabilities and Exposures database. As part of our ongoing effort to mature the official Kubernetes CVE Feed, we have identified some discrepancies. CVE records for a few older, unfixed issues incorrectly include a fixed version field. The Kubernetes Security Response Committee (SRC) will correct the affected CVE records on June 1, 2026. This may result in vulnerability scanners identifying these vulnerabilities in places where they were previously not detected.

Kubernetes
Rory McCuneMay 21

Here's the last one in our series of blogs on the unpatchable vulnerabilities of #Kubernetes, with CVE-2021-25740

https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2021-25740/

Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740 | Datadog Security Labs

A look at how Kubernetes CVE-2021-25740 allows users with EndpointSlice access to redirect traffic via shared ingress and load balancer services.

Rory McCuneMay 15

RE: https://mastodon.r3pek.org/@r3pek/116577493086729004

this like the fourth Linux LPE in the last couple of weeks (and I'd guess there'll be more circulating privately). Doesn't feel sustainable to be relying on user separation for isolation any more.

And I know people will say there's always been LPE in Linux, but there's a lot more with pre-packed PoCs these days just floating around.

Rory McCuneMay 12

Looking forward to attending Le Tour Du Hack on Saturday in Edinburgh. I'll be doing a talk about Kubernetes post-exploitation at 13:40 alongside many other great talks.

https://speak.enusec.org/le-tour-du-hack-2026/talk/EEMPKG/

Ghosts in the Cluster - Hiding in Kubernetes for Years Le Tour Du Hack

You've popped a Kubernetes cluster. You've got admin creds. Now the real question is how do you stay? Kubernetes abstracts away enormous complexity across multiple layers, from container runtimes to cluster APIs and each of those layers has dark corners where an attacker can set up shop and go unnoticed for months or even years. This talk is a post-exploitation deep dive into Kubernetes persistence. We'll walk through a compromised cluster layer by layer, demonstrating how attackers can escape to cluster nodes, spin up containers invisible to kubectl, abuse the Kubelet API to dodge audit logging and admission control, and create phantom credentials that survive long after the initial breach is forgotten. If defenders aren't watching every layer of the stack, they won't see you coming, or going.

Rory McCuneMay 11
Show threadSkyrMay 11
@mhoye @andrewnez I don't know what made me laugh more: The satiric CVE or the obviously automatically AI-generated renarration on some vendor's blog 🤣🤣🤣
https://sesamedisk.com/cve-2024-yikes-supply-chain-attack/
CVE-2024-YIKES: A Supply Chain Attack Exposed and How to Prevent It

Learn about the CVE-2024-YIKES supply chain attack, its analysis, root causes, and strategies to prevent similar cybersecurity incidents in software ecosystems.

Sesame Disk