Google Cloud Addresses Privilege Escalation Vulnerability in Kubernetes Service

  • Home
  • Google Cloud Addresses Privilege Escalation Vulnerability in Kubernetes Service

Google Cloud Addresses Privilege Escalation Vulnerability in Kubernetes Service

Google Cloud has successfully remedied a medium-severity security flaw within its platform that could potentially be exploited by an attacker who already possesses access to a Kubernetes cluster to escalate their privileges.

The vulnerability was reported by Palo Alto Networks Unit 42, which highlighted the potential for adversaries to exploit the flaw for activities such as data theft, deploying malicious pods, and disrupting the cluster’s operations. Google Cloud, in its advisory released on December 14, 2023, acknowledged the risk and detailed the resolution steps.

According to the advisory, the flaw could be exploited by an attacker who has compromised the Fluent Bit logging container. By combining this access with the elevated privileges required by Anthos Service Mesh (ASM) on clusters with ASM enabled, an attacker could escalate their privileges within the cluster.

There is no evidence suggesting that this vulnerability has been exploited in the wild. Google Cloud has addressed the issue in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM):

  • GKE: 1.25.16-gke.1020000, 1.26.10-gke.1235000, 1.27.7-gke.1293000, 1.28.4-gke.1083000
  • ASM: 1.17.8-asm.8, 1.18.6-asm.2, 1.19.5-asm.4

The successful exploitation of this vulnerability relies on the attacker having already compromised a FluentBit container through initial access methods, such as exploiting a remote code execution flaw.

Google Cloud clarified that Fluent Bit on GKE had been configured to collect logs for Cloud Run workloads, and the volume mount configured for this purpose granted Fluent Bit access to Kubernetes service account tokens for other Pods on the node. This could be exploited by a threat actor to gain privileged access to a Kubernetes cluster with ASM enabled and subsequently use ASM’s service account token to escalate privileges.

To address the issue, Google has removed Fluent Bit’s access to service account tokens and re-architected ASM’s functionality to eliminate excessive role-based access control (RBAC) permissions.

Security researcher Shaul Ben Hai emphasized the potential risks associated with system pods created by cloud vendors, as these pods often run with elevated privileges and are managed by vendors, leaving users with limited control over their configuration and permissions.