Google Cloudhas addressed a critical security vulnerability in its platform that can be exploited by an attacker to escalate a vulnerability they have accessed in theKubernetesCluster Privileges.
An attacker who has compromised the Fluent Bit logging container could combine that access with the high privileges required for Anthos Service Mesh (on clusters with this feature enabled) to elevate privileges in the cluster," the company said in a bulletin posted on December 14, 2023. "
Palo Alto Networks Unit 42, which discovered and reported the flaw, said an attacker could use it to "steal data, deploy malicious pods and disrupt cluster operations."
There is currently no evidence of the issue being exploited in the wild. The following are the versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) that have resolved the issue-
1.25.16-gke.1020000
1.26.10-gke.1235000
1.27.7-gke.1293000
1.28.4-gke.1083000
1.17.8-asm.8
1.18.6-asm.2
1.19.5-asm.4
The key prerequisite for successfully exploiting this vulnerability is that the attacker has compromised the FluentBit container through other initial access methods, such as through a remote code execution vulnerability.
Google explains in detail, "GKE uses Fluent Bit to process logs from workloads running on the cluster.Fluent Bit on GKE is also configured to collect logs from Cloud Run workloads. The volume mount configured to collect these logs allows Fluent Bit to access the Kubernetes service account tokens of other Pods running on the node." This means that a threat actor could use this access to gain privileged access to an ASM-enabled Kubernetes cluster, and then use the ASM's service account token to elevate its privileges by creating a new Pod with cluster-admin privileges.
Security researcher Shaul Ben Hai said, "The clusterrole-aggregation-controller (CRAC) service account is probably the preferred choice because it can add arbitrary privileges to existing cluster roles. An attacker can update the cluster role bound to CRAC to gain all privileges."
As a fix, Google has lifted Fluent Bit's access to service account tokens and re-engineered the functionality of ASM to eliminate excessive role-based access control (RBAC) permissions.
Ben Hai summarizes, "When you start a cluster, the cloud provider automatically creates system Pods. they are built in your Kubernetes infrastructure along with the plugin Pods created when the feature is enabled. This is because the cloud provider or application vendor typically creates and manages them, and the user has no control over their configuration or permissions. This can also be very dangerous because these Pods run with elevated privileges."
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/google-cloud-fixes-kubernetes-privilege.html