December 29, 2023 at 07:00AM
Palo Alto Networks reports that an attacker with access to a Kubernetes cluster could exploit vulnerabilities in FluentBit and Anthos Service Mesh (ASM) within Google Kubernetes Engine (GKE) to gain complete control of the cluster. Google has released patches for the issues, but urges users to manually update their clusters and node pools.
From the meeting notes, the key points are:
– Vulnerabilities in FluentBit, the default logging agent in GKE, and in Anthos Service Mesh (ASM) were identified by Palo Alto Networks, which could be chained together by an attacker to escalate privileges and take over the Kubernetes cluster.
– The vulnerabilities in FluentBit and ASM can be exploited as part of a second-stage attack, allowing attackers to gain complete control of a Kubernetes cluster, conduct data theft, deploy malicious pods, and disrupt the cluster’s operations.
– Post installation, the ASM’s Container Network Interface (CNI) DaemonSet retains excessive permissions, allowing an attacker to gain privileged access to the cluster.
– Google has released patches for both issues, urging users to manually update their clusters and node pools using specific GKE and ASM versions to resolve the bugs.
It’s important for the team to ensure that their GKE clusters and node pools are updated with the recommended patches to mitigate these vulnerabilities and reduce the risk of exploitation.