Attackers Exploit Two Google Kubernetes Engine Vulnerabilities to Escalate Privileges

  • Home
  • Attackers Exploit Two Google Kubernetes Engine Vulnerabilities to Escalate Privileges

Attackers Exploit Two Google Kubernetes Engine Vulnerabilities to Escalate Privileges

Attackers with access to Kubernetes clusters can now leverage two vulnerabilities within Google Kubernetes Engine (GKE) to escalate their privileges.

In a blog post on December 27, the Unit 42 research team from Palo Alto Networks stated that attackers could use this access to engage in data theft, deploy malicious Pods, and disrupt the normal operation of the cluster.

Security professionals, please take note: Google patched these two configuration issues on December 14 through GCP-2023-047, so the patches have been available for two weeks.

Explaining the flaws outlined in the blog, Unit 42 researchers pointed out that the first vulnerability involves the default configuration of the GKE log proxy, FluentBit, which runs by default on all Kubernetes clusters. The second flaw relates to default permissions in Anthos Service Mesh (ASM), operating as an optional plugin that customers can enable.

Researchers noted that if an attacker can execute code within the FluentBit container and ASM is installed on the cluster, the threat actor can create a chain to take control of the Kubernetes cluster.

Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, explained that chaining vulnerabilities is a common technique used by more advanced and sophisticated attackers to access victim environments. Carson stated that such tactics are typically employed in targeted attacks rather than opportunistic activities. Therefore, Carson emphasized the importance for organizations to conduct risk assessments to identify environments with these configurations and mitigate them where possible.

Carson said, “Once attackers discover these types of vulnerability chains, they often attempt automated discovery tools that will find environments configured with these specific settings and versions, so they can later leverage the escalated privileges.” He added, “Sometimes, they exploit the victim themselves or provide a payload to enable a backdoor, which they then sell to other cybercriminals.”

Callie Guenther, Advanced Threat Manager at Critical Start Network Threat Research, added that the scenario outlined by Palo Alto Networks highlights a critical aspect of cybersecurity: the compounded risk when multiple vulnerabilities are linked together.

Guenther stated that in complex systems like Kubernetes, discovering vulnerabilities that an attacker can exploit simultaneously is not uncommon. However, Guenther pointed out that it is rare for two distinct vulnerabilities in different components, such as FluentBit and ASM in this case, to align in a way that allows such a significant privilege escalation.

“This specificity makes this situation less common but more dangerous for environments that fit the criteria,” explained Guenther. “The ability to escalate privileges and potentially take over an entire Kubernetes cluster is extremely severe. Kubernetes clusters typically run critical applications and services, and a takeover could result in significant operational disruptions, data theft, or the deployment of malicious applications.”