Security researchers have identified two vulnerabilities within Google Kubernetes Engine (GKE) that attackers can exploit to escalate their privileges within Kubernetes clusters. This discovery highlights the growing need for vigilance in cloud-native environments.
In a blog post dated December 27, Palo Alto Networks’ Unit 42 team revealed that these vulnerabilities could allow attackers with access to Kubernetes clusters to steal data, deploy malicious Pods, and disrupt the normal functioning of the cluster.
Details of the Vulnerabilities
Google patched these vulnerabilities on December 14, under GCP-2023-047, meaning the fixes have been available for two weeks. Despite the patches, the vulnerabilities’ nature and potential impact necessitate attention from security professionals.
The first vulnerability centers around the default configuration of FluentBit, the log proxy running by default on all GKE clusters. The second flaw is linked to the default permissions in Anthos Service Mesh (ASM), an optional plugin that customers can enable.
Unit 42 researchers explained that if an attacker can execute code within the FluentBit container and ASM is active on the cluster, they could exploit this combination to take control of the entire Kubernetes environment.
Expert Insights
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, explained that chaining vulnerabilities is a tactic commonly used by sophisticated attackers to breach systems. Carson emphasized that these strategies are typically employed in targeted attacks rather than opportunistic ones. He urged organizations to conduct thorough risk assessments to identify and mitigate environments with these specific configurations.
“Once attackers identify vulnerability chains like these, they often use automated discovery tools to locate environments configured with these settings. They can then leverage the escalated privileges,” Carson said. “Sometimes, attackers exploit the victim directly, or they create a backdoor, which is later sold to other cybercriminals.”
Callie Guenther, Advanced Threat Manager at Critical Start Network Threat Research, underscored the compounded risk when multiple vulnerabilities are chained together. While it is common to find vulnerabilities in complex systems like Kubernetes, Guenther noted that it is rare for two distinct flaws in different components, such as FluentBit and ASM, to align in a way that enables such a significant privilege escalation.
“This specificity makes the situation less common but more dangerous for environments that meet these criteria,” Guenther explained. “The ability to escalate privileges and potentially take over an entire Kubernetes cluster is extremely severe. Kubernetes clusters often run critical applications and services, and a takeover could result in significant operational disruptions, data theft, or the deployment of malicious applications.”
Conclusion
The discovery of these vulnerabilities within GKE underscores the importance of constant vigilance and timely patching in cloud-native environments. Security teams should prioritize risk assessments and ensure that their Kubernetes clusters are configured correctly and up-to-date to mitigate the risks associated with these flaws.
