Google Cloud has patched a vulnerability that could potentially allow malicious actors with access to a Kubernetes cluster to escalate their privileges and wreak havoc.
“An attacker who has compromised the Fluent Bit log container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have it enabled) to escalate privileges in the cluster,” the company said in a advice.
“The issues with Fluent Bit and Anthos Service Mesh have been resolved and fixes are now available. These vulnerabilities themselves are not exploitable in GKE and require an initial compromise.”
Data theft
Google also claims that it has found no evidence that the vulnerabilities are being exploited in the wild.
As for the solutions, these are the versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) that are protected:
1.25.16-gke.1020000
1.26.10-gke.1235000
1.27.7-gke.1293000
1.28.4-gke.1083000
1.17.8-asm.8
1.18.6-asm.2
1.19.5-asm.4
The vulnerability was first discovered by Unit 42, the cybersecurity division of Palo Alto Networks. The HackerNews reports. In its report, Unit 42 says the flaws could be used for data theft, deployment of malicious pods and disruption of the cluster's operations. However, for this to work, the attacker must have a compromised Fluent Bit container beforehand.
“GKE uses Fluent Bit to process logs for workloads running on clusters,” Google further explains. “Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node.”
In other words, a hacker could use a Kubernetes cluster with ASM enabled, and then use the ASM service account token to create a new pod with cluster admin rights, effectively escalating his privileges to the highest level.
“The cluster role aggregation controller (CRAC) service account is probably the leading candidate because it can add arbitrary permissions to existing cluster roles,” says security researcher Shaul Ben Hai. “The attacker can update the cluster role associated with CRAC to have full privileges.”