Open Nav
Sign Up

Privilege Escalation Flaw in Google Cloud’s Kubernetes Service Resolved

Google Cloud Kubernetes Patch Release

Bar Refael

January 1, 2024

Google Cloud recently patched a medium-severity security vulnerability in its Kubernetes Service, which could allow attackers with existing access to a Kubernetes cluster to escalate their privileges. Discovered and reported by Palo Alto Networks Unit 42, this flaw posed a significant risk, potentially enabling data theft, deployment of malicious pods, and disruption of cluster operations.

Details of the Vulnerability:

  • Affected Service: Google Kubernetes Service (GKE) and Anthos Service Mesh (ASM).
  • Flaw Description: The vulnerability was rooted in the configuration of Fluent Bit, a logging container used in GKE. The flawed configuration granted Fluent Bit access to Kubernetes service account tokens, which could be exploited to gain privileged access to a cluster.
  • Impact: If exploited, the vulnerability could lead to unauthorized actions like creating new pods with elevated privileges, leading to data theft or operational disruption.

Attack Vector:

  • Initial Compromise: The exploitation of this vulnerability required prior compromise of a FluentBit container, potentially through methods like remote code execution flaws.
  • Privilege Escalation: Post-compromise, the attacker could use ASM’s service account token to escalate their privileges within the Kubernetes cluster.

Resolution and Updates:

  • Patched Versions: Google Cloud addressed the issue in the following versions:
    • GKE: Versions 1.25.16-gke.1020000 to 1.28.4-gke.1083000
    • ASM: Versions 1.17.8-asm.8 to 1.19.5-asm.4
  • Fixes Implemented: Google removed Fluent Bit’s access to service account tokens and restructured ASM to minimize role-based access control permissions.

Recommendations:

  • Update to Patched Versions: Users of Google Kubernetes Service and Anthos Service Mesh should immediately update to the patched versions.
  • Continuous Monitoring: Regularly monitor Kubernetes clusters for unusual activities or unauthorized access.
  • Review of Service Accounts and Permissions: Conduct an audit of service accounts and permissions within Kubernetes clusters to ensure least privilege access.

This incident underscores the importance of vigilant security practices in cloud environments, especially in complex systems like Kubernetes. While there was no evidence of exploitation in the wild, the proactive identification and resolution of such vulnerabilities are crucial in maintaining robust cloud security and protecting against potential cyber threats.

Resources highlights

Critical Cisco Secure FMC Vulnerabilities Allow Root Access (CVE-2026-20079 & CVE-2026-20131)

Cisco has released security updates addressing two maximum-severity vulnerabilities affecting Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) firewall management platforms.…

Read more >

CVE-2026-20079 & CVE-2026-20131

Actively Exploited VMware Aria Operations RCE (CVE-2026-22719)

A high-severity vulnerability in VMware Aria Operations has been added to the Known Exploited Vulnerabilities Catalog, indicating evidence of exploitation in real-world attacks. The vulnerability,…

Read more >

CVE-2026-22719

CVE-2026-20127 & CVE-2022-20775: Active Exploitation of Cisco SD-WAN Systems

A coordinated global campaign targeting Cisco SD-WAN environments has been identified by CISA, NSA, and international partners. Threat actors are actively exploiting a chain of…

Read more >

CVE-2026-20127

CVE-2025-49113 & CVE-2025-68461: Actively Exploited Roundcube Webmail Vulnerabilities

Two critical vulnerabilities affecting Roundcube Webmail, a widely deployed web-based email client (commonly bundled with cPanel), have been confirmed as actively exploited in the wild.…

Read more >

CVE-2025-49113

CVE-2026-20140: Splunk Enterprise for Windows Local Privilege Escalation

Splunk disclosed a high-severity local privilege escalation (LPE) vulnerability affecting Splunk Enterprise for Windows. An attacker with low-privileged local access may be able to escalate…

Read more >

CVE-2026-20140

CVE-2026-22769: Critical Dell RecoverPoint Hardcoded Credential Vulnerability

A critical vulnerability, CVE-2026-22769 (CVSS 10.0), has been identified in Dell RecoverPoint for Virtual Machines, a widely used enterprise backup and disaster recovery solution for…

Read more >

CVE-2026-22769
Under Cyber Attack?

Fill out the form and we will contact you immediately.