A security flaw in Google Kubernetes could put your business at risk for anyone with a Gmail account
The Google Kubernetes Engine (GKE) contained a vulnerability that could allow almost anyone with a Gmail account to take over a Kubernetes cluster.
Cybersecurity researchers at Orca released the news, calling the vulnerability Sys:All and claiming that there are a quarter of a million active GKE clusters that could be vulnerable to the flaw.
The problem lies in the fact that many people wrongly believe the system: the authenticated group in Google Kubernetes Engine contains only authenticated and deterministic identities, researcher Ofir Yakobi told me. The hacker news. In reality, any Google verified account will do.
Fixing the error
As explained in the report, the system:authenticated group includes authenticated entities, people, and service accounts. This means a threat actor can use a Google OAuth 2.0 bearer token and gain control of the cluster. That control can then be used to deploy all kinds of malware, move through the network, or steal sensitive data from the endpoints.
Furthermore, the victim organization would not be able to trace the attack to a specific Gmail or Google Workspace account. The Hacker News reports that “numerous organizations” could be affected by the findings, and several types of sensitive data could be at risk. That includes JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and container registry credentials.
Shortly after the news broke, Google took steps to block the binding of the system:authenticated group to the cluster administrator role in GKE. These steps are applied in versions 1.28 and later.
“To protect your clusters from massive malware attacks that exploit misconfigurations of access to cluster managers, GKE clusters running version 1.28 and later do not allow you to bind the cluster manager ClusterRole to the system: anonymous user or to the system: unverified or system:authenticated groups,” the cloud giant said in its advisory.