August 21, 2024 at 07:42AM
A privilege escalation vulnerability in Microsoft Azure Kubernetes Services allowed attackers to access sensitive information, including cluster credentials. The flaw impacted clusters using Azure CNI and Azure for network policy. Exploiting this flaw, attackers could access secrets, compromise clusters, and abuse cloud services and metadata servers, potentially leading to network interference and data theft.
From the meeting notes, the key takeaways regarding the vulnerability in Microsoft Azure Kubernetes Services are as follows:
– Privilege escalation vulnerability was identified in Microsoft Azure Kubernetes Services that could allow attackers to access sensitive information such as credentials for services used by the cluster, potentially compromising the security of the cluster and the data within it.
– The vulnerability impacted Azure Kubernetes Services clusters set to use Azure CNI for network configuration and Azure for network policy. This issue could allow attackers to access any secret on the cluster.
– An attacker with command execution in a Pod running within an affected Azure Kubernetes Services cluster could exploit the vulnerability to read all secrets within the cluster.
– The flaw could be exploited even if the pod did not run with hostNetwork enabled or did not have root privileges, highlighting its severity.
– The vulnerability in Azure Kubernetes Services was resolved by Microsoft after being notified via its vulnerability disclosure program.
– Additionally, improperly configured Kubernetes clusters could allow attackers to execute code on pods, access resources available to other pods, compromise clusters, and potentially access the on-premises network.
– The vulnerable clusters exposed internal cloud services for the worker nodes, including the metadata server, which provides machine configuration and credentials used to identify the machine to the cloud provider.
– The metadata server, accessible at http://169.254.169.254, could be exploited by a network attacker to expose tokens, with the potential to create a kubelet certificate for their own machine and use those credentials to attack the control plane, steal secrets, and interfere with the workloads scheduled on their malicious ‘node’.
– Notably, an undocumented component named WireServer in Azure could be used by attackers to obtain the key used to encrypt protected settings values and decrypt encrypted settings blobs, potentially leading to privilege escalation.
It is important to ensure that Azure Kubernetes Services clusters are properly configured and that security best practices and controls are in place to mitigate these vulnerabilities.