Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Providers that, if efficiently exploited, might permit an attacker to escalate their privileges and entry credentials for providers utilized by the cluster.
“An attacker with command execution in a Pod operating inside an affected Azure Kubernetes Providers cluster might obtain the configuration used to provision the cluster node, extract the transport layer security (TLS) bootstrap tokens, and carry out a TLS bootstrap assault to learn all secrets and techniques inside the cluster,” Google-owned Mandiant stated.
Clusters utilizing “Azure CNI” for the “Community configuration” and “Azure” for the “Community Coverage” have been discovered to be impacted by the privilege escalation bug. Microsoft has since addressed the difficulty following accountable disclosure.
The assault approach devised by the menace intelligence agency hinges on accessing a little-known element referred to as Azure WireServer to request a key used to encrypt protected settings values (“wireserver.key”) and use it to decode a provisioning script that features a number of secrets and techniques corresponding to follows –
- KUBELET_CLIENT_CONTENT (Generic Node TLS Key)
- KUBELET_CLIENT_CERT_CONTENT (Generic Node TLS Certificates)
- KUBELET_CA_CRT (Kubernetes CA Certificates)
- TLS_BOOTSTRAP_TOKEN (TLS Bootstrap Authentication Token)
“KUBELET_CLIENT_CONTENT, KUBELET_CLIENT_CERT_CONTENT, and KUBELET_CA_CRT may be Base64 decoded and written to disk to make use of with the Kubernetes command-line instrument kubectl to authenticate to the cluster,” researchers Nick McClendon, Daniel McNamara, and Jacob Paullus stated.
“This account has minimal Kubernetes permissions in just lately deployed Azure Kubernetes Service (AKS) clusters, however it could notably listing nodes within the cluster.”
TLS_BOOTSTRAP_TOKEN, alternatively, might be used to allow a TLS bootstrap assault and finally acquire entry to all secrets and techniques utilized by operating workloads. The assault doesn’t require the pod to be operating as root.
“Adopting a course of to create restrictive NetworkPolicies that permit entry solely to required providers prevents this whole assault class,” Mandiant stated. “Privilege escalation by way of an undocumented service is prevented when the service can’t be accessed in any respect.”
The disclosure comes as Kubernetes security platform ARMO highlighted a brand new high-severity Kubernetes flaw (CVE-2024-7646, CVSS rating: 8.8) that impacts the ingress-nginx controller and will allow a malicious actor to achieve unauthorized entry to delicate cluster assets.
“The vulnerability stems from a flaw in the best way ingress-nginx validates annotations on Ingress objects,” security researcher Amit Schendel stated.
“The vulnerability permits an attacker to inject malicious content material into sure annotations, bypassing the supposed validation checks. This could result in arbitrary command injection and potential entry to the ingress-nginx controller’s credentials, which, in default configurations, has entry to all secrets and techniques within the cluster.”
It additionally follows the invention of a design flaw within the Kubernetes git-sync venture that might permit for command injection throughout Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), and Linode.
“This design flaw could cause both information exfiltration of any file within the pod (together with service account tokens) or command execution with the git_sync consumer privileges,” Akamai researcher Tomer Peled stated. “To use the flaw, all an attacker must do is apply a YAML file on the cluster, which is a low-privilege operation.”
There are not any patches being deliberate for the vulnerability, making it essential that organizations audit their git-sync pods to find out what instructions are being run.
“Each vectors are because of an absence of enter sanitization, which highlights the necessity for a sturdy protection concerning consumer enter sanitization,” Peled stated. “Blue workforce members needs to be looking out for uncommon conduct coming from the gitsync consumer of their organizations.”
