Google Cloud recently patched a medium-severity security vulnerability in its Kubernetes Service, which could allow attackers with existing access to a Kubernetes cluster to escalate their privileges. Discovered and reported by Palo Alto Networks Unit 42, this flaw posed a significant risk, potentially enabling data theft, deployment of malicious pods, and disruption of cluster operations.
Details of the Vulnerability:
- Affected Service: Google Kubernetes Service (GKE) and Anthos Service Mesh (ASM).
- Flaw Description: The vulnerability was rooted in the configuration of Fluent Bit, a logging container used in GKE. The flawed configuration granted Fluent Bit access to Kubernetes service account tokens, which could be exploited to gain privileged access to a cluster.
- Impact: If exploited, the vulnerability could lead to unauthorized actions like creating new pods with elevated privileges, leading to data theft or operational disruption.
Attack Vector:
- Initial Compromise: The exploitation of this vulnerability required prior compromise of a FluentBit container, potentially through methods like remote code execution flaws.
- Privilege Escalation: Post-compromise, the attacker could use ASM’s service account token to escalate their privileges within the Kubernetes cluster.
Resolution and Updates:
- Patched Versions: Google Cloud addressed the issue in the following versions:
- GKE: Versions 1.25.16-gke.1020000 to 1.28.4-gke.1083000
- ASM: Versions 1.17.8-asm.8 to 1.19.5-asm.4
- Fixes Implemented: Google removed Fluent Bit’s access to service account tokens and restructured ASM to minimize role-based access control permissions.
Recommendations:
- Update to Patched Versions: Users of Google Kubernetes Service and Anthos Service Mesh should immediately update to the patched versions.
- Continuous Monitoring: Regularly monitor Kubernetes clusters for unusual activities or unauthorized access.
- Review of Service Accounts and Permissions: Conduct an audit of service accounts and permissions within Kubernetes clusters to ensure least privilege access.
This incident underscores the importance of vigilant security practices in cloud environments, especially in complex systems like Kubernetes. While there was no evidence of exploitation in the wild, the proactive identification and resolution of such vulnerabilities are crucial in maintaining robust cloud security and protecting against potential cyber threats.
