Cybersecurity researchers have identified a significant security flaw in Microsoft Azure Kubernetes Services (AKS) that could allow attackers to escalate privileges and access sensitive credentials. The vulnerability, if exploited, could lead to a complete compromise of the cluster's secrets.
Key Takeaways
The flaw affects clusters using "Azure CNI" for network configuration and "Azure" for network policy.
Microsoft has addressed the issue following responsible disclosure.
The attack leverages Azure WireServer to request a key used to encrypt protected settings values.
The vulnerability does not require the pod to be running as root.
Vulnerability Details
The attack technique, devised by Google-owned Mandiant, involves accessing a lesser-known component called Azure WireServer. This component is used to request a key ("wireserver.key") that encrypts protected settings values. By decoding a provisioning script, attackers can extract several secrets, including:
KUBELET_CLIENT_CONTENT: Generic Node TLS Key
KUBELET_CLIENT_CERT_CONTENT: Generic Node TLS Certificate
KUBELET_CA_CRT: Kubernetes CA Certificate
TLS_BOOTSTRAP_TOKEN: TLS Bootstrap Authentication Token
These secrets can be Base64 decoded and used with the Kubernetes command-line tool to authenticate to the cluster. While the account has minimal Kubernetes permissions in recently deployed AKS clusters, it can list nodes in the cluster. The TLS_BOOTSTRAP_TOKEN can be used to perform a TLS bootstrap attack, granting access to all secrets within the cluster.
Mitigation Strategies
Mandiant recommends adopting a process to create restrictive NetworkPolicies that allow access only to required services. This approach prevents the entire attack class by ensuring that the undocumented service cannot be accessed at all. Privilege escalation via an undocumented service is thus prevented.
Related Vulnerabilities
The disclosure of this flaw comes on the heels of other significant Kubernetes vulnerabilities:
Ingress-nginx Controller Flaw (CVE-2024-7646): Highlighted by Kubernetes security platform ARMO, this high-severity flaw affects the ingress-nginx controller. It allows attackers to inject malicious content into certain annotations, bypassing validation checks and potentially gaining access to sensitive cluster resources.
Kubernetes Git-sync Project Flaw: A design flaw in the Kubernetes git-sync project could allow for command injection across various Kubernetes services, including Amazon EKS, Azure AKS, Google GKE, and Linode. This flaw can lead to data exfiltration or command execution with git_sync user privileges.
The discovery of these vulnerabilities underscores the importance of robust security measures in Kubernetes environments. Organizations are urged to audit their clusters and implement stringent network policies to mitigate potential risks. The cybersecurity community continues to work diligently to identify and address such vulnerabilities, ensuring the safety and integrity of cloud-native applications.
In today's digital age, robust cybersecurity measures are more important than ever. At BetterWorld Technology, our team of cybersecurity experts is committed to safeguarding your business from evolving threats. We offer comprehensive solutions tailored to protect your data and infrastructure. Whether you need proactive monitoring, threat assessment, or incident response, BetterWorld Technology has the expertise to keep your business secure. Contact us today to learn how our cutting-edge cybersecurity services can fortify your defenses. Enhance your cybersecurity posture and ensure peace of mind with BetterWorld Technology.
Sources
Researchers Uncover TLS Bootstrap Attack on Azure Kubernetes Clusters, The Hacker News.