Deployment of malicious modules and data theft was successfully prevented.
The Google Cloud platform recently fixed a medium-severity vulnerability tracked under the internal identifier GCP-2023-047. This flaw could have been used to increase privileges by an attacker who already has access to the Kubernetes cluster.
The problem was that the compromise of the Fluent Bit logging container could be combined with the high privileges required by Anthos Service Mesh to escalate privileges in the cluster. This is stated in the company's security recommendation dated December 14, 2023.
Unit 42 specialists from Palo Alto Networks, who discovered this flaw, pointed out the possibility of using this vulnerability to steal data, deploy malicious modules, and disrupt the cluster.
There is no confirmation yet that the vulnerability was used in real attacks. Google has already fixed the issue in the current versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM).
The vulnerability could only be successfully exploited if the attacker had already compromised the FluentBit container in another way, for example, through a remote code execution vulnerability.
Google Cloud noted that GKE uses Fluent Bit to process logs of workloads running in clusters. GKE's Fluent Bit was also configured to collect logs for Cloud Run workloads. This setting gave Fluent Bit access to Kubernetes account tokens for other pods running on the node.
Thus, an attacker could use this access to gain privileged access to a Kubernetes cluster with ASM enabled, and then use the ASM account token to escalate their privileges by creating a new module with cluster administrator rights.
Google fixed the vulnerability by removing Fluent Bit access to account tokens and rebuilding ASM functionality to reduce excessive permissions based on role-based access control.
Security expert Shaul Ben Hai highlighted the risks associated with system modules automatically created at cluster startup. They are built into the Kubernetes infrastructure and run immediately with elevated privileges, which carries a very specific and real risk.
The Google Cloud platform recently fixed a medium-severity vulnerability tracked under the internal identifier GCP-2023-047. This flaw could have been used to increase privileges by an attacker who already has access to the Kubernetes cluster.
The problem was that the compromise of the Fluent Bit logging container could be combined with the high privileges required by Anthos Service Mesh to escalate privileges in the cluster. This is stated in the company's security recommendation dated December 14, 2023.
Unit 42 specialists from Palo Alto Networks, who discovered this flaw, pointed out the possibility of using this vulnerability to steal data, deploy malicious modules, and disrupt the cluster.
There is no confirmation yet that the vulnerability was used in real attacks. Google has already fixed the issue in the current versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM).
The vulnerability could only be successfully exploited if the attacker had already compromised the FluentBit container in another way, for example, through a remote code execution vulnerability.
Google Cloud noted that GKE uses Fluent Bit to process logs of workloads running in clusters. GKE's Fluent Bit was also configured to collect logs for Cloud Run workloads. This setting gave Fluent Bit access to Kubernetes account tokens for other pods running on the node.
Thus, an attacker could use this access to gain privileged access to a Kubernetes cluster with ASM enabled, and then use the ASM account token to escalate their privileges by creating a new module with cluster administrator rights.
Google fixed the vulnerability by removing Fluent Bit access to account tokens and rebuilding ASM functionality to reduce excessive permissions based on role-based access control.
Security expert Shaul Ben Hai highlighted the risks associated with system modules automatically created at cluster startup. They are built into the Kubernetes infrastructure and run immediately with elevated privileges, which carries a very specific and real risk.
