Cybersecurity researchers have disclosed a safety flaw impacting Microsoft Azure Kubernetes Providers that, if efficiently exploited, might enable an attacker to escalate their privileges and entry credentials for providers utilized by the cluster.
“An attacker with command execution in a Pod working inside an affected Azure Kubernetes Providers cluster might obtain the configuration used to provision the cluster node, extract the transport layer safety (TLS) bootstrap tokens, and carry out a TLS bootstrap assault to learn all secrets and techniques inside the cluster,” Google-owned Mandiant mentioned.
Clusters utilizing “Azure CNI” for the “Community configuration” and “Azure” for the “Community Coverage” have been discovered to be impacted by the privilege escalation bug. Microsoft has since addressed the problem following accountable disclosure.
The assault method devised by the risk intelligence agency hinges on accessing a little-known element referred to as Azure WireServer to request a key used to encrypt protected settings values (“wireserver.key”) and use it to decode a provisioning script that features a number of secrets and techniques reminiscent of follows –
- KUBELET_CLIENT_CONTENT (Generic Node TLS Key)
- KUBELET_CLIENT_CERT_CONTENT (Generic Node TLS Certificates)
- KUBELET_CA_CRT (Kubernetes CA Certificates)
- TLS_BOOTSTRAP_TOKEN (TLS Bootstrap Authentication Token)
“KUBELET_CLIENT_CONTENT, KUBELET_CLIENT_CERT_CONTENT, and KUBELET_CA_CRT could be Base64 decoded and written to disk to make use of with the Kubernetes command-line instrument kubectl to authenticate to the cluster,” researchers Nick McClendon, Daniel McNamara, and Jacob Paullus mentioned.
“This account has minimal Kubernetes permissions in just lately deployed Azure Kubernetes Service (AKS) clusters, however it could possibly notably checklist nodes within the cluster.”
TLS_BOOTSTRAP_TOKEN, then again, may very well be used to allow a TLS bootstrap assault and finally acquire entry to all secrets and techniques utilized by working workloads. The assault doesn’t require the pod to be working as root.
“Adopting a course of to create restrictive NetworkPolicies that enable entry solely to required providers prevents this whole assault class,” Mandiant mentioned. “Privilege escalation through an undocumented service is prevented when the service can’t be accessed in any respect.”
The disclosure comes as Kubernetes safety platform ARMO highlighted a brand new high-severity Kubernetes flaw (CVE-2024-7646, CVSS rating: 8.8) that impacts the ingress-nginx controller and will allow a malicious actor to realize unauthorized entry to delicate cluster sources.
“The vulnerability stems from a flaw in the best way ingress-nginx validates annotations on Ingress objects,” safety researcher Amit Schendel mentioned.
“The vulnerability permits an attacker to inject malicious content material into sure annotations, bypassing the meant validation checks. This may result in arbitrary command injection and potential entry to the ingress-nginx controller’s credentials, which, in default configurations, has entry to all secrets and techniques within the cluster.”
It additionally follows the invention of a design flaw within the Kubernetes git-sync undertaking that would enable for command injection throughout Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), and Linode.
“This design flaw could cause both information exfiltration of any file within the pod (together with service account tokens) or command execution with the git_sync person privileges,” Akamai researcher Tomer Peled mentioned. “To take advantage of the flaw, all an attacker must do is apply a YAML file on the cluster, which is a low-privilege operation.”
There aren’t any patches being deliberate for the vulnerability, making it essential that organizations audit their git-sync pods to find out what instructions are being run.
“Each vectors are attributable to a scarcity of enter sanitization, which highlights the necessity for a strong protection relating to person enter sanitization,” Peled mentioned. “Blue group members must be looking out for uncommon conduct coming from the gitsync person of their organizations.”