Microsoft addressed a crucial privilege escalation vulnerability in its managed Azure Kubernetes Service (AKS), which allowed attackers to achieve entry to credentials for varied providers utilized by the cluster.
Attackers may have exploited the difficulty to entry delicate info, steal knowledge, and execute different malicious actions in an affected AKS cluster, Mandiant stated in a report this week. The corporate had already found and reported the vulnerability to Microsoft.
No Privileges Required
The vulnerability affected AKS clusters utilizing the Azure CNI and Azure Community Coverage community configuration settings. An attacker with command execution privileges inside any pod of an affected AKS cluster may have leveraged the flaw to obtain the configuration particulars for the node, together with the TLS bootstrap tokens used through the preliminary setup of a Kubernetes node, Mandiant stated. The tokens would have allowed an adversary to carry out a TLS bootstrap assault and generate a respectable kubelet certificates, which might have given them elevated privileges inside the cluster and unauthorized entry to all its contents.
Considerably, an attacker may have exploited the flaw while not having any particular privileges, Mandiant stated. “This assault didn’t require the pod to be working with hostNetwork set to true and doesn’t require the pod to be working as root,” Mandiant researchers Nick McClendon, Daniel McNamara, and Jacob Paullus wrote in a weblog put up this week.
Undocumented WireServer Element
Mandiant recognized the vulnerability — earlier than Microsoft fastened it — as stemming from the flexibility for an attacker with command execution privileges on an AKS pod to entry an undocumented Azure element referred to as WireServer. Mandiant researchers discovered that by following an assault approach that CyberCX revealed in Could 2023, they may get well TLS bootstrap tokens for the cluster from WireServer. “Given entry to the WireServer and HostGAPlugin endpoint, an attacker may retrieve and decrypt the settings offered to plenty of extensions, together with the ‘Customized Script Extension,’ a service used to offer a digital machine its preliminary configuration,” the Mandiant researchers wrote.
They described the difficulty as a manifestation of what occurs when organizations deploy Kubernetes clusters with out contemplating how an attacker with code execution rights inside a pod may have the ability to leverage that entry. There are a number of methods during which attackers can take over a pod, together with by exploiting vulnerabilities within the functions working in a pod, throughout steady integration processes, or by way of a compromised developer account.
Extreme Entry
With out granular community insurance policies, restrictions in opposition to unsafe workloads, and authentication necessities for inside providers, an attacker with entry to a pod in a Kubernetes cluster can entry different pods and providers on a Kubernetes cluster. This contains servers that include configuration particulars, occasion metadata, and credentials for providers inside the cluster and with different cloud providers.
“Adopting a course of to create restrictive NetworkPolicies that permit entry solely to required providers prevents this whole assault class,” Mandiant stated. “Privilege escalation by way of an undocumented service is prevented when the service can’t be accessed in any respect.”
Callie Guenther, senior supervisor, cyber menace analysis at Crucial Begin, stated that although Microsoft has patched the difficulty, safety groups should instantly audit their AKS configurations. That is very true if they’re utilizing Azure CNI for community configuration and Azure for community coverage, Guenther stated in an emailed remark. “They need to additionally rotate all Kubernetes secrets and techniques, implement strict pod safety insurance policies, and implement strong logging and monitoring to detect any suspicious actions,” Guenther famous. “Whereas this vulnerability is critical, requiring immediate motion, it’s a second-stage assault, which means it wants prior entry to a pod. Thus, it ought to be prioritized accordingly inside the broader context of a corporation’s menace panorama.”