Google Cloud has resolved a moderate security flaw in its platform that could have been abused by an attacker who already had access to a Kubernetes cluster to escalate their privileges.
“An attacker who compromises the Fluent Bit log container could combine this access with the high privileges required by Anthos Service Mesh (on the cluster where it is enabled) to upgrade the cluster,” the company said in a December advisory. “Permissions” on 14th, 2023.
Palo Alto Networks Unit 42, which discovered and reported the flaw, said adversaries could weaponize it to “steal data, deploy malicious pods, and disrupt cluster operations.”
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
There is no evidence that this issue has been widely exploited. This issue has been resolved in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) –
- 1.25.16-gke.1020000
- 1.26.10-gke.1235000
- 1.27.7-gke.1293000
- 1.28.4-gke.1083000
- 1.17.8-asm.8
- 1.18.6-asm.2
- 1.19.5-asm.4
A key prerequisite for successful exploitation is that the attacker has compromised the FluentBit container via some other method of initial access, such as via a remote code execution flaw.
“GKE uses Fluent Bit to process logs of workloads executed on the cluster,” Google explains in detail. “Fluent Bit on GKE is also configured to collect logs for Cloud Run workloads. Volume mounts configured to collect these logs enable Fluent Bit to access the Kubernetes service account tokens of other Pods running on the node.”
This means that a threat actor could use this access to gain privileged access to an ASM-enabled Kubernetes cluster, and then use ASM’s service account tokens to escalate their privileges by creating a new Pod with cluster management permissions.
“The Cluster Role Aggregation Controller (CRAC) service account may be a leading candidate because it can add arbitrary permissions to existing cluster roles,” said security researcher Shaul Ben Hai. “An attacker can update cluster roles bound to CRAC. to have all permissions.”
With the fix, Google removed Fluent Bit’s access to service account tokens and restructured ASM functionality to remove excessive role-based access control (RBAC) permissions.
“When the cluster starts, the cloud provider will automatically create system Pods,” Ben Hai concluded. “They are built into your Kubernetes infrastructure and are the same additional Pods that are created when a feature is enabled.”
“This is because the cloud or application provider typically creates and manages them, and the user has no control over their configuration or permissions. This can also be very dangerous because these Pods run with elevated privileges.”