Google Cloud has addressed a medium-severity security flaw in its system that could be abused by an attacker who presently has access to a Kubernetes cluster to escalate their privileges.
“An attacker who has compromised the Fluent Bit logging container could incorporate that accessibility with significant privileges demanded by Anthos Services Mesh (on clusters that have enabled it) to escalate privileges in the cluster,” the firm claimed as section of an advisory produced on December 14, 2023.
Palo Alto Networks Device 42, which learned and described the shortcoming, claimed adversaries could weaponize it to carry out “data theft, deploy malicious pods, and disrupt the cluster’s operations.”
Approaching WEBINAR From Consumer to ADMIN: Master How Hackers Achieve Full Regulate
Find out the mystery strategies hackers use to develop into admins, how to detect and block it before it really is as well late. Sign up for our webinar today.
Be a part of Now
There is no evidence that the issue has been exploited in the wild. It has been dealt with in the subsequent versions of Google Kubernetes Motor (GKE) and Anthos Provider Mesh (ASM) –
A vital prerequisite to productively exploiting the vulnerability hinges on an attacker acquiring previously compromised a FluentBit container by some other preliminary obtain solutions, these types of as via a remote code execution flaw.
“GKE uses Fluent Bit to procedure logs for workloads working on clusters,” Google elaborated. “Fluent Bit on GKE was also configured to obtain logs for Cloud Run workloads. The quantity mount configured to accumulate all those logs gave Fluent Bit entry to Kubernetes support account tokens for other Pods functioning on the node.”
This intended that a menace actor could use this obtain to obtain privileged entry to a Kubernetes cluster that has ASM enabled and then subsequently use ASM’s service account token to escalate their privileges by generating a new pod with cluster-admin privileges.
“The clusterrole-aggregation-controller (CRAC) provider account is possibly the top candidate, as it can increase arbitrary permissions to present cluster roles,” security researcher Shaul Ben Hai mentioned. “The attacker can update the cluster role certain to CRAC to possess all privileges.”
By way of fixes, Google has eradicated Fluent Bit’s obtain to the service account tokens and re-architected the features of ASM to take away abnormal purpose-based entry regulate (RBAC) permissions.
“Cloud suppliers quickly create method pods when your cluster is launched,” Ben Hai concluded. “They are developed in your Kubernetes infrastructure, the similar as incorporate-on pods that have been created when you permit a attribute.”
“This is simply because cloud or application distributors ordinarily build and regulate them, and the user has no handle around their configuration or permissions. This can also be particularly risky since these pods operate with elevated privileges.”
Discovered this write-up exciting? Comply with us on Twitter and LinkedIn to browse a lot more distinctive written content we publish.
Some sections of this posting are sourced from: