Highlights:

  • A misconfiguration in FluentBit permits an attacker to execute code within the FluentBit container, thereby gaining access to sensitive tokens from other pods. This unauthorized access enables the execution of actions within the cluster.
  • FluentBit container, retrieve tokens from other pods, generate new pods with elevated privileges, and ultimately attain administrative control over the Kubernetes cluster.

Google LLC has addressed two noteworthy vulnerabilities within Google Kubernetes Engine that had the potential to enable an unauthorized party to take control of a Kubernetes cluster.

The vulnerabilities, outlined on December 27 by researchers at Unit 42, a division of Palo Alto Networks Inc., were related to an issue in the default configuration of GKE’s logging agent FluentBit. This agent runs automatically on all clusters, along with default privileges for Anthos Service Mesh, an optional add-on that customers can activate.

Individually, these vulnerabilities pose no significant risk. However, when both are exploited in tandem, they create a pathway for an attacker to compromise Google Kubernetes Engine (GKE). To leverage this pair of vulnerabilities, an attacker needs to initiate execution within the FluentBit container. If the cluster also incorporates Anthos Service Mesh (ASM), the attacker can establish a potent chain of actions, ultimately gaining control of a Kubernetes cluster.

A misconfiguration in FluentBit permits an attacker to execute code within the FluentBit container, thereby gaining access to sensitive tokens from other pods. This unauthorized access enables the execution of actions within the cluster. The Container Network Interface DaemonSet of ASM maintains excessive permissions even post-installation, allowing attackers to generate new pods with broad permissions. This further amplifies the attacker’s control over the cluster.

The amalgamation of these vulnerabilities empowers an attacker to take control of the FluentBit container, retrieve tokens from other pods, generate new pods with elevated privileges, and ultimately attain administrative control over the entire Kubernetes cluster.

The positive development is that Google has addressed both vulnerabilities through GCP-2023-047, releasing a patch on December 14. However, in the realm of cybersecurity, it’s crucial to emphasize that a patch is effective only when it is applied. Additionally, it’s important to note that the patch for the ASM vulnerability requires a manual application. The existence of a tandem or chain vulnerability in this attack scenario has raised concerns among security experts.

Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start Inc., commented, “In complex systems like Kubernetes, it is not uncommon to find vulnerabilities that can be exploited in tandem. However, it’s less common for two distinct vulnerabilities in different components (like FluentBit and ASM in this case) to align in a way that allows for such a significant escalation of privileges.”

Guenther explained that the capability to escalate privileges and potentially seize control of an entire Kubernetes cluster is a grave concern. She added, “Kubernetes clusters often run critical applications and services, and a takeover could lead to significant operational disruptions, data theft, or deployment of malicious applications.”

Joseph Carson, Chief Security Scientist and Advisory Chief Information Security Officer at privileged access management firm Delinea Inc., noted that chaining vulnerabilities is a common technique that more advanced and sophisticated attackers employ to access victims’ environments.

Carson stated, “These types of vulnerabilities make it difficult for organizations to evaluate the risks as they might look at each vulnerability individually. This is why organizations must assess the risks of the service as a whole and identify vulnerability chain exploits that they might be exposed to.”