Open Nav
Sign Up

Privilege Escalation Flaw in Google Cloud’s Kubernetes Service Resolved

Google Cloud Kubernetes Patch Release

Bar Refael

January 1, 2024

Google Cloud recently patched a medium-severity security vulnerability in its Kubernetes Service, which could allow attackers with existing access to a Kubernetes cluster to escalate their privileges. Discovered and reported by Palo Alto Networks Unit 42, this flaw posed a significant risk, potentially enabling data theft, deployment of malicious pods, and disruption of cluster operations.

Details of the Vulnerability:

  • Affected Service: Google Kubernetes Service (GKE) and Anthos Service Mesh (ASM).
  • Flaw Description: The vulnerability was rooted in the configuration of Fluent Bit, a logging container used in GKE. The flawed configuration granted Fluent Bit access to Kubernetes service account tokens, which could be exploited to gain privileged access to a cluster.
  • Impact: If exploited, the vulnerability could lead to unauthorized actions like creating new pods with elevated privileges, leading to data theft or operational disruption.

Attack Vector:

  • Initial Compromise: The exploitation of this vulnerability required prior compromise of a FluentBit container, potentially through methods like remote code execution flaws.
  • Privilege Escalation: Post-compromise, the attacker could use ASM’s service account token to escalate their privileges within the Kubernetes cluster.

Resolution and Updates:

  • Patched Versions: Google Cloud addressed the issue in the following versions:
    • GKE: Versions 1.25.16-gke.1020000 to 1.28.4-gke.1083000
    • ASM: Versions 1.17.8-asm.8 to 1.19.5-asm.4
  • Fixes Implemented: Google removed Fluent Bit’s access to service account tokens and restructured ASM to minimize role-based access control permissions.

Recommendations:

  • Update to Patched Versions: Users of Google Kubernetes Service and Anthos Service Mesh should immediately update to the patched versions.
  • Continuous Monitoring: Regularly monitor Kubernetes clusters for unusual activities or unauthorized access.
  • Review of Service Accounts and Permissions: Conduct an audit of service accounts and permissions within Kubernetes clusters to ensure least privilege access.

This incident underscores the importance of vigilant security practices in cloud environments, especially in complex systems like Kubernetes. While there was no evidence of exploitation in the wild, the proactive identification and resolution of such vulnerabilities are crucial in maintaining robust cloud security and protecting against potential cyber threats.

Resources highlights

Ivanti EPMM Unauthenticated RCE Actively Exploited (CVE-2026-1340)

CVE-2026-1340 is a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that enables unauthenticated remote code execution (RCE). The flaw has been confirmed…

Read more >

CVE-2026-1340

FortiClient EMS 0-Day Enables RCE (CVE-2026-35616)

Fortinet has confirmed active exploitation of CVE-2026-35616 in the wild. The vulnerability was reportedly leveraged as a zero-day prior to disclosure, indicating that attackers had…

Read more >

CVE-2026-35616

Axios Supply Chain Attack: Malicious npm Releases Deliver Cross-Platform Payload

A software supply chain attack has been identified impacting the widely used axios npm package. On March 31, 2026, two malicious versions, axios@1.14.1 and axios@0.30.4,…

Read more >

axios-npm-supply-chain-attack-malicious-packages

CVE-2026-33017: Langflow Code Injection Vulnerability

A critical vulnerability in Langflow, tracked as CVE-2026-33017, is being actively exploited in the wild and poses a serious risk to organizations using exposed self-hosted…

Read more >

cve-2026-33017

Citrix NetScaler Vulnerabilities Expose Sensitive Data and Session Integrity Risks (CVE-2026-3055 & CVE-2026-4368)

Citrix has released security updates addressing two vulnerabilities in NetScaler ADC and NetScaler Gateway that may allow attackers to leak sensitive data or interfere with…

Read more >

cve-2026-3055

Active Exploitation of Microsoft SharePoint RCE (CVE-2026-20963)

A critical Microsoft SharePoint vulnerability, CVE-2026-20963, is now being actively exploited in the wild. The flaw enables remote code execution (RCE) and has been added…

Read more >

cve-2026-20963
Under Cyber Attack?

Fill out the form and we will contact you immediately.