Google Cloud Resolves Privilege Escalation Vulnerability in Kubernetes Service

Google Cloud has successfully patched a medium-severity security flaw in its platform that posed a risk of privilege escalation for attackers with existing access to a Kubernetes cluster. The vulnerability, which was reported by Palo Alto Networks’ Unit 42, could have allowed adversaries to engage in harmful activities such as data theft, deploying malicious pods, or disrupting cluster operations.

In an advisory issued on December 14, 2023, Google Cloud acknowledged the risk posed by the flaw and provided details on the resolution.

The Nature of the Vulnerability

The vulnerability could be exploited by an attacker who had already compromised the Fluent Bit logging container within a Kubernetes cluster. This access, when combined with the elevated privileges required by Anthos Service Mesh (ASM) on clusters where ASM is enabled, could enable the attacker to escalate their privileges further within the cluster.

While there is no evidence that this vulnerability has been exploited in real-world attacks, Google Cloud took swift action to address the issue. The following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) include the necessary patches:

GKE: 1.25.16-gke.1020000, 1.26.10-gke.1235000, 1.27.7-gke.1293000, 1.28.4-gke.1083000
ASM: 1.17.8-asm.8, 1.18.6-asm.2, 1.19.5-asm.4

How the Vulnerability Could Be Exploited

For this vulnerability to be exploited, an attacker would first need to compromise a Fluent Bit container, typically through an initial access method like a remote code execution flaw. Once the container is compromised, the attacker could exploit the flaw to escalate their privileges within the Kubernetes cluster, particularly if ASM is enabled.

Google Cloud explained that Fluent Bit on GKE was configured to collect logs for Cloud Run workloads. The volume mount used for this purpose inadvertently granted Fluent Bit access to Kubernetes service account tokens for other pods on the same node. This access could be exploited by a threat actor to gain privileged access to the cluster and use ASM’s service account token to further escalate privileges.

Google Cloud’s Response

To mitigate this risk, Google Cloud removed Fluent Bit’s access to service account tokens and restructured ASM’s functionality to eliminate unnecessary role-based access control (RBAC) permissions. These changes ensure that similar vulnerabilities cannot be exploited in the future.

Security researcher Shaul Ben Hai highlighted the risks associated with system pods managed by cloud vendors, noting that these pods often run with elevated privileges and leave users with limited control over their configuration and permissions. This incident underscores the importance of vigilant security practices and the need for cloud vendors to continually assess and secure their services.

With these updates, Google Cloud has strengthened the security of its Kubernetes service, helping to protect users from potential privilege escalation attacks.