Aug 20, 2024Ravie LakshmananVulnerability / Container Security
Cybersecurity researchers have recently uncovered a significant security flaw in Microsoft Azure Kubernetes Services that could potentially lead to a severe breach in cluster security. If exploited, this vulnerability allows malicious actors to escalate their privileges and gain access to sensitive credentials used within the cluster.
According to a report by Google-owned Mandiant, the flaw enables an attacker running a Pod within an affected Azure Kubernetes Services cluster to download the cluster node’s provisioning configuration, extract TLS bootstrap tokens, and carry out a TLS bootstrap attack to access all secrets stored within the cluster.
Clusters that utilize “Azure CNI” for the “Network configuration” and “Azure” for the “Network Policy” have been identified as being susceptible to this privilege escalation bug. Microsoft has promptly addressed the issue post a responsible disclosure.
The attack technique devised by the researchers involves leveraging an obscure component known as Azure WireServer to obtain an encryption key used to decrypt protected settings values (“wireserver.key”). This key can then be used to decode a provisioning script containing critical secrets such as KUBELET_CLIENT_CONTENT, KUBELET_CLIENT_CERT_CONTENT, KUBELET_CA_CRT, and TLS_BOOTSTRAP_TOKEN.
While KUBELET_CLIENT_CONTENT, KUBELET_CLIENT_CERT_CONTENT, and KUBELET_CA_CRT can be decoded and utilized with kubectl, TLS_BOOTSTRAP_TOKEN facilitates a TLS bootstrap attack that can provide unauthorized access to all running workload secrets, even without the need for root access.
Ensuring robust NetworkPolicies and restricting access to essential services are recommended to prevent such attacks. Mandiant emphasizes the importance of implementing stringent security measures to limit access to undocumented services, thus mitigating the risk of privilege escalation.
In a similar vein, a high-severity vulnerability (CVE-2024-7646) affecting the ingress-nginx controller in Kubernetes has also been highlighted, allowing attackers to gain unauthorized access to critical cluster resources. The flaw stems from a validation issue in the annotations on Ingress objects, potentially leading to arbitrary command injection and unauthorized access to sensitive credentials.
Another design flaw discovered in the Kubernetes git-sync project poses a risk of command injection across various Kubernetes services such as Amazon EKS, Azure AKS, Google GKE, and Linode. This flaw can result in data exfiltration or command execution with user privileges, underscoring the importance of auditing git-sync pods for suspicious commands.
As organizations grapple with evolving threat landscapes, the need for robust user input sanitization and proactive monitoring of unusual activities is more critical than ever. Both attackers and defenders continue to innovate, underscoring the necessity for continuous vigilance and preventive measures in maintaining the cybersecurity posture.