A critical vulnerability named “WireServing” has been discovered in Azure Kubernetes Services (AKS) by Mandiant, posing significant risks to organizations using AKS for their containerized environments. This vulnerability allows attackers to escalate privileges within a compromised cluster and gain unauthorized access to sensitive credentials, even without elevated privileges or host networking enabled.
Vulnerability Overview:
- Vulnerability Name: WireServing
- Affected Service: Azure Kubernetes Services (AKS)
- Components Exploited: Azure WireServer and HostGAPlugin
- Impact: Unauthorized access to sensitive credentials, privilege escalation, potential data theft
Technical Details:
The WireServing vulnerability exploits a security gap in AKS clusters that use the Azure CNI for network configuration and the Azure network policy. The attack hinges on a TLS bootstrap attack targeting the tokens used for securely joining nodes to a Kubernetes cluster.
Key aspects of the attack include:
- Exploitation of TLS Bootstrap Tokens: The attack involves a compromised Pod within the cluster. Attackers can download configuration files used to provision the cluster node, which contain TLS bootstrap tokens and other credentials.
- Undocumented Azure Components: The vulnerability involves Azure’s WireServer and HostGAPlugin, components typically used for provisioning Azure VMs. These services were found to be exploitable, allowing attackers to decrypt sensitive configuration settings.
- Privilege Escalation: By decrypting the settings, attackers can obtain credentials necessary for escalating privileges within the cluster, accessing the Kubernetes API, listing nodes, and reading secrets associated with workloads.
Significance:
The WireServing vulnerability is particularly dangerous because it bypasses typical security controls within Kubernetes environments. Even without root access, attackers can exploit this vulnerability to access critical data, potentially leading to severe consequences such as data breaches, financial loss, and damage to organizational reputations.
Mitigation and Response:
Upon receiving Mandiant’s report, Microsoft acted swiftly to mitigate the risk by patching the vulnerability. The update focused on:
- Securing TLS Bootstrap Tokens: Changes were made to the handling of TLS bootstrap tokens within AKS clusters, preventing unauthorized access and blocking the exploitation of these tokens.
- Enhancing Metadata Server Security: The patch also included measures to prevent unauthorized access to the metadata server, which was a critical component in the attack chain.
Recommendations:
- Immediate Patching: All organizations using Azure Kubernetes Services should ensure that their environments are updated with the latest security patches released by Microsoft.
- Review Security Configurations: Administrators should review and tighten security controls around TLS tokens, network configurations, and the use of Azure-specific services within their Kubernetes environments.
- Conduct Security Audits: Regular audits of Kubernetes environments are recommended to identify potential vulnerabilities, especially in complex cloud configurations where undocumented services might create security gaps.
The WireServing vulnerability in Azure Kubernetes Services underscores the importance of rigorous security practices in cloud environments. Even in well-secured systems, undocumented components and complex configurations can create unexpected vulnerabilities. Organizations must stay vigilant, regularly update their systems, and prioritize the security of critical infrastructure to protect against evolving threats.
