Saturday, June 15, 2024

Multiple Flaws in Google Kubernetes Engine Let Attackers Escalate Privileges

Google Kubernetes Engine (GEK) has been detected with two flaws that a threat actor can utilize to create significant damage in case the threat actor already has access inside the Kubernetes cluster.

The first issue was associated with FluentBit with default configuration. FluentBit is GKE’s logging agent that runs by default on all the clusters.

The second issue was linked to Anthos Service Mesh (ASM), which has default privileges. ASM controls the service-to-service communication within the GKE environment.

Multiple Flaws in Google Kubernetes Engine

If an attacker gains enough privilege inside a FluentBit container, which also has ASM installed, the threat actor can create an attack chain that could result in complete control over the Kubernetes cluster.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Post this, the threat actor can perform various actions such as data theft, deployment of malicious pods, or even disruption of the Kubernetes cluster’s operations. However, Google fixed this configuration issue in mid-December 2023.

Exploitation of FluentBit Permissions

In this step, each pod inside the FluentBit mounted volume contains a kube-api-access volume that has the projected service account token. This token is used to communicate with the Kubernetes API, which is sensitive information. 

FluentBit misconfiguration
FluentBit misconfiguration (Source: Unit 42)

If the FluentBit pod is compromised, the threat actor can use any token of any pod on the node. After this, the threat actor can also impersonate a pod and gain privileged access inside the Kubernetes API server, followed by several malicious actions such as mapping the entire cluster, listing all the running pods, etc.

Second Step: Exploitation of Istio Post-Installation Permissions

This step involves the exploitation of ASM’s Container Network Interface (CNI) DaemonSet, which keeps excessive privileges after installation. While ASM is enabled, Istio-cni-node DaemonSet is also installed in the cluster.

Anthos Service Mesh misconfiguration
Anthos Service Mesh misconfiguration (Source: Unit 42)

This Daemonset is used for installing and configuring the Istio CNI plugin on each node in the cluster, and it also has higher permissions to perform tasks. However, once it starts to run, it does not require higher permissions.

There are two roles for this Daemonset; one of them is to install the CNI plugin, which does not require RBAC (Role-based access control), and the other is “repair” mode, which detects if pods have started without configuration, which requires some level of RBAC privileges.

Chaining these Exploits

To chain these exploits, the pod must have an ASM feature installed, and the threat actor must gain privileged access inside the Kubernetes cluster. Once these two prerequisites are fulfilled, the threat actor can chain these exploits.

The threat actor can perform a task after taking control of the FluentBit container by exploiting the default configuration. Once after this, the threat actor can have access to the kube-api-access-<random-suffix> directory that has all the tokens from all the pods in the node.

From there, the threat actor can perform any malicious actions and gain complete control over the Kubernetes cluster.

A complete report about these two issues has been published by Palo Alto, providing detailed information about the privileges, concepts, exploitation, and other information.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles