Microsoft addressed a vital privilege escalation vulnerability in its managed Azure Kubernetes Service (AKS), which allowed attackers to realize entry to credentials for varied providers utilized by the cluster.
Attackers might have exploited the difficulty to entry delicate data, steal knowledge, and execute different malicious actions in an affected AKS cluster, Mandiant stated in a report this week. The corporate had already found and reported the vulnerability to Microsoft.
No Privileges Required
The vulnerability affected AKS clusters utilizing the Azure CNI and Azure Community Coverage community configuration settings. An attacker with command execution privileges inside any pod of an affected AKS cluster might have leveraged the flaw to obtain the configuration particulars for the node, together with the TLS bootstrap tokens used through the preliminary setup of a Kubernetes node, Mandiant stated. The tokens would have allowed an adversary to carry out a TLS bootstrap assault and generate a official kubelet certificates, which might have given them elevated privileges throughout the cluster and unauthorized entry to all its contents.
Considerably, an attacker might have exploited the flaw with no need any particular privileges, Mandiant stated. “This assault didn’t require the pod to be operating with hostNetwork set to true and doesn’t require the pod to be operating as root,” Mandiant researchers Nick McClendon, Daniel McNamara, and Jacob Paullus wrote in a weblog submit this week.
Undocumented WireServer Part
Mandiant recognized the vulnerability — earlier than Microsoft mounted it — as stemming from the flexibility for an attacker with command execution privileges on an AKS pod to entry an undocumented Azure part referred to as WireServer. Mandiant researchers discovered that by following an assault approach that CyberCX printed in Could 2023, they may recuperate TLS bootstrap tokens for the cluster from WireServer. “Given entry to the WireServer and HostGAPlugin endpoint, an attacker might retrieve and decrypt the settings supplied to quite a few extensions, together with the ‘Customized Script Extension,’ a service used to offer a digital machine its preliminary configuration,” the Mandiant researchers wrote.
They described the difficulty as a manifestation of what occurs when organizations deploy Kubernetes clusters with out contemplating how an attacker with code execution rights inside a pod may be capable to leverage that entry. There are a number of methods during which attackers can take over a pod, together with by exploiting vulnerabilities within the functions operating in a pod, throughout steady integration processes, or by way of a compromised developer account.
Extreme Entry
With out granular community insurance policies, restrictions towards unsafe workloads, and authentication necessities for inside providers, an attacker with entry to a pod in a Kubernetes cluster can entry different pods and providers on a Kubernetes cluster. This contains servers that comprise configuration particulars, occasion metadata, and credentials for providers throughout the cluster and with different cloud providers.
“Adopting a course of to create restrictive NetworkPolicies that enable entry solely to required providers prevents this whole assault class,” Mandiant stated. “Privilege escalation by way of an undocumented service is prevented when the service can’t be accessed in any respect.”
Callie Guenther, senior supervisor, cyber risk analysis at Important Begin, stated that although Microsoft has patched the difficulty, safety groups should instantly audit their AKS configurations. That is very true if they’re utilizing Azure CNI for community configuration and Azure for community coverage, Guenther stated in an emailed remark. “They need to additionally rotate all Kubernetes secrets and techniques, implement strict pod safety insurance policies, and implement sturdy logging and monitoring to detect any suspicious actions,” Guenther famous. “Whereas this vulnerability is critical, requiring immediate motion, it’s a second-stage assault, which means it wants prior entry to a pod. Thus, it needs to be prioritized accordingly throughout the broader context of a company’s risk panorama.”