Cybersecurity researchers have discovered a security flaw affecting Microsoft’s Azure Kubernetes services that, if successfully exploited, could allow an attacker to elevate privileges and gain access to credentials for services used by the cluster.
“An attacker executing a command in a Pod running on a compromised Azure Kubernetes Services cluster can download the configuration used to secure a cluster node, obtain transport layer (TLS) download tokens, and perform a TLS download attack to read all secrets inside the cluster” , Google-owned Mandiant said.
Clusters using “Azure CNI” for “Network Configuration” and “Azure” for “Network Policy” were found to be affected by an elevation of privilege bug. Microsoft has since resolved the issue after responsible disclosure.
The attack technique, developed by the threat intelligence firm, relies on accessing a little-known component called Azure WireServer to request the key used to encrypt secure settings values (“wireserver.key”) and use it to decode a provisioning script that includes several secrets , for example as follows –
- KUBELET_CLIENT_CONTENT (Node TLS Shared Key)
- KUBELET_CLIENT_CERT_CONTENT (Shared Node TLS Certificate)
- KUBELET_CA_CRT (Kubernetes CA certificate)
- TLS_BOOTSTRAP_TOKEN (TLS Bootstrap Authentication Token)
“KUBELET_CLIENT_CONTENT, KUBELET_CLIENT_CERT_CONTENT, and KUBELET_CA_CRT can be Base64 decoded and written to disk for use with the Kubernetes kubectl command-line tool for cluster authentication,” said researchers Nick McClendon, Daniel McNamara, and Jacob Paulus.
“This account has minimal Kubernetes permissions on newly deployed Azure Kubernetes Service (AKS) clusters, but in particular it can list the nodes in the cluster.”
TLS_BOOTSTRAP_TOKEN, on the other hand, can be used to enable a TLS download attack and eventually gain access to all the secrets used by the workloads. The attack does not require pod to be running as root.
“Adopting a process of creating restrictive NetworkPolicies that only allow access to essential services prevents this entire class of attacks,” Mandiant said. “Elevation of privileges through an undocumented service is prevented if the service is not accessible at all.”
The disclosure comes after Kubernetes security platform ARMO highlighted a new serious vulnerability in Kubernetes (CVE-2024-7646CVSS score: 8.8) that affects the ingress-nginx controller and could allow an attacker to gain unauthorized access to sensitive cluster resources.
“The vulnerability is due to a flaw in how ingress-nginx validates annotations on Ingress objects,” – Security researcher Amit Schendel said.
“The vulnerability allows an attacker to inject malicious content into certain annotations by bypassing the intended validation checks. This could lead to arbitrary command entry and potentially access to the credentials of the ingress-nginx controller, which in default configurations has access to all secrets in the cluster.”
It also comes from identifying a design flaw in Kubernetes git-sync project which can allow injecting commands into Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), and Linode.
“This design flaw could lead to either the data theft of any file in the module (including service account tokens) or the execution of a command with git_sync privileges,” said Akamai researcher Tomer Peled. said. “To exploit the flaw, all an attacker would have to do is apply a YAML file to the cluster, which is a low-privilege operation.”
There are no fixes planned for this vulnerability, so it is important that organizations check their git-sync modules to determine which commands are being executed.
“Both vectors are associated with a lack of input sanitization, which highlights the need for robust protection against user input sanitization,” Peled said. “Blue team members should be on the lookout for unusual behavior by gitsync users in their organizations.”
