Attackers with access to a Kubernetes cluster can now potentially chain together two vulnerabilities in the Google Kubernetes Engine (GKE) that would let them escalate their privileges.
In a blog post Dec. 27, the Unit 42 research team at Palo Alto Networks, said attackers can exploit this access to conduct data theft, deploy malicious pods, and disrupt the cluster's operations.
Security pros take note: Google fixed both configuration issues on Dec. 14 with GCP-2023-047, so patches have been available for two weeks.
In explaining the bugs in the blog, the Unit 42 researchers said the first flaw is the default configuration of GKE’s logging agent, FluentBit, which runs by default on all Kubernetes clusters. The second bug, the default privileges for Anthos Service Mesh (ASM), operates as an optional add-on that customers can enable.
According to the researchers, if an attackers can execute in the FluentBit container and the cluster has ASM installed, the threat actors have to ability to create a single chain that can give them control of a Kubernetes cluster.
Chaining vulnerabilities is a common technique used by more advanced and sophisticated attackers to gain access to a victim’s environment, explained Joseph Carson, chief security scientist and Advisory CISO at Delinea. Carson said these types of tactics are often used for targeted attacks, rather than opportunistic campaigns. Therefore, Carson said it’s important for organizations to perform a risk assessment to determine environments where these types of configurations exist and mitigate them where possible.
“Once attackers discover these types of vulnerability chains, they tend to attempt to automate discovery tools that will find environments where they are configured with these specific configurations and versions so they can later take advantage of escalating privileges,” said Carson. “Sometimes it’s to exploit the victim themselves or deliver payloads that enable backdoors that they later sell to other cybercriminals.
Callie Guenther, senior manager, cyber threat research at Critical Start, added that the scenario outlined by Palo Alto Networks highlights a critical aspect of cybersecurity: the compounded risk when multiple vulnerabilities are chained together.
Guenther said in complex systems like Kubernetes, it’s not uncommon to find vulnerabilities that attackers can exploit in tandem. However, Guenther pointed out that it's less common for two distinct vulnerabilities in different components (like FluentBit and ASM in this case) to align in a way that allows for such a significant escalation of privileges.
“This specificity makes the scenario less common, but more dangerous for those environments that meet the criteria,” explained Guenther. “The ability to escalate privileges and potentially take over an entire Kubernetes cluster is extremely serious. Kubernetes clusters often run critical applications and services, and a takeover could lead to significant operational disruptions, data theft, or deployment of malicious applications.”
