Friday, March 1, 2024

Multiple Flaws in Google Kubernetes Engine Let Attackers Escalate Privileges

Google Kubernetes Engine (GEK) has been detected with two flaws that a threat actor can utilize to create significant damage in case the threat actor already has access inside the Kubernetes cluster.

The first issue was associated with FluentBit with default configuration. FluentBit is GKE’s logging agent that runs by default on all the clusters.

The second issue was linked to Anthos Service Mesh (ASM), which has default privileges. ASM controls the service-to-service communication within the GKE environment.

Multiple Flaws in Google Kubernetes Engine

If an attacker gains enough privilege inside a FluentBit container, which also has ASM installed, the threat actor can create an attack chain that could result in complete control over the Kubernetes cluster.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Post this, the threat actor can perform various actions such as data theft, deployment of malicious pods, or even disruption of the Kubernetes cluster’s operations. However, Google fixed this configuration issue in mid-December 2023.

Exploitation of FluentBit Permissions

In this step, each pod inside the FluentBit mounted volume contains a kube-api-access volume that has the projected service account token. This token is used to communicate with the Kubernetes API, which is sensitive information. 

FluentBit misconfiguration
FluentBit misconfiguration (Source: Unit 42)

If the FluentBit pod is compromised, the threat actor can use any token of any pod on the node. After this, the threat actor can also impersonate a pod and gain privileged access inside the Kubernetes API server, followed by several malicious actions such as mapping the entire cluster, listing all the running pods, etc.

Second Step: Exploitation of Istio Post-Installation Permissions

This step involves the exploitation of ASM’s Container Network Interface (CNI) DaemonSet, which keeps excessive privileges after installation. While ASM is enabled, Istio-cni-node DaemonSet is also installed in the cluster.

Anthos Service Mesh misconfiguration
Anthos Service Mesh misconfiguration (Source: Unit 42)

This Daemonset is used for installing and configuring the Istio CNI plugin on each node in the cluster, and it also has higher permissions to perform tasks. However, once it starts to run, it does not require higher permissions.

There are two roles for this Daemonset; one of them is to install the CNI plugin, which does not require RBAC (Role-based access control), and the other is “repair” mode, which detects if pods have started without configuration, which requires some level of RBAC privileges.

Chaining these Exploits

To chain these exploits, the pod must have an ASM feature installed, and the threat actor must gain privileged access inside the Kubernetes cluster. Once these two prerequisites are fulfilled, the threat actor can chain these exploits.

The threat actor can perform a task after taking control of the FluentBit container by exploiting the default configuration. Once after this, the threat actor can have access to the kube-api-access-<random-suffix> directory that has all the tokens from all the pods in the node.

From there, the threat actor can perform any malicious actions and gain complete control over the Kubernetes cluster.

A complete report about these two issues has been published by Palo Alto, providing detailed information about the privileges, concepts, exploitation, and other information.

Website

Latest articles

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral restaurant chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...

Hackers Hijack Anycubic 3D Printers to Display Warning Messages

Anycubic 3D printer owners have been caught off guard by a series of unauthorized...

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

Stellar Cyber, the innovator of Open XDR, today announced that RSM US – the leading provider...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles