Security Vulnerability in Azure Kubernetes Services Unveiled by Researchers

August 20, 2024

Cybersecurity researchers have discovered a security vulnerability in Microsoft Azure Kubernetes Services that could potentially be exploited by an attacker to escalate their privileges and gain access to service credentials. If an attacker is able to execute a command in a Pod running within an affected Azure Kubernetes Services cluster, they could download the cluster node's configuration, extract the TLS bootstrap tokens, and carry out a TLS bootstrap attack to read all secrets within the cluster, according to Mandiant, a Google-owned company.

Clusters that use 'Azure CNI' for the 'Network configuration' and 'Azure' for the 'Network Policy' are impacted by this privilege escalation bug. Microsoft has since rectified the issue following responsible disclosure. The attack method developed by the threat intelligence firm involves accessing a lesser-known component called Azure WireServer to request a key ('wireserver.key') used to encrypt protected settings values and decode a provisioning script that includes several secrets.

These secrets, such as 'KUBELET_CLIENT_CONTENT, KUBELET_CLIENT_CERT_CONTENT, and KUBELET_CA_CRT' can be Base64 decoded and written to disk to use with the Kubernetes command-line tool kubectl to authenticate to the cluster, researchers Nick McClendon, Daniel McNamara, and Jacob Paullus explained. 'This account has minimal Kubernetes permissions in recently deployed Azure Kubernetes Service (AKS) clusters, but it can notably list nodes in the cluster.' The TLS_BOOTSTRAP_TOKEN, on the other hand, could be used to carry out a TLS bootstrap attack and ultimately gain access to all secrets used by running workloads. The attack does not require the pod to be running as root.

Mandiant suggests creating restrictive NetworkPolicies that only allow access to required services to prevent this type of attack. 'Privilege escalation via an undocumented service is prevented when the service cannot be accessed at all,' the company said.

This disclosure comes as Kubernetes security platform ARMO highlighted a new high-severity Kubernetes flaw (CVE-2024-7646, CVSS score: 8.8) that affects the ingress-nginx controller and could allow a malicious actor to gain unauthorized access to sensitive cluster resources. 'The vulnerability stems from a flaw in the way ingress-nginx validates annotations on Ingress objects,' security researcher Amit Schendel said. 'The vulnerability allows an attacker to inject malicious content into certain annotations, bypassing the intended validation checks. This can lead to arbitrary command injection and potential access to the ingress-nginx controller's credentials, which, in default configurations, has access to all secrets in the cluster.'

This follows the discovery of a design flaw in the Kubernetes git-sync project that could enable command injection across Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), and Linode. 'This design flaw can cause either data exfiltration of any file in the pod (including service account tokens) or command execution with the git_sync user privileges,' Akamai researcher Tomer Peled said. 'To exploit the flaw, all an attacker needs to do is apply a YAML file on the cluster, which is a low-privilege operation.' No patches are currently planned for this vulnerability, highlighting the importance for organizations to audit their git-sync pods to determine what commands are being run. 'Both vectors are due to a lack of input sanitization, which highlights the need for a robust defense regarding user input sanitization,' Peled added. 'Blue team members should be on the lookout for unusual behavior coming from the gitsync user in their organizations.'

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.