An incorrect configuration allows any user to inject a Trojan into the cluster.
The information security company Orca Security has discovered a vulnerability in the Google Kubernetes Engine (GKE), which allows attackers with a Google account to gain control over a Kubernetes cluster. The problem is codenamed Sys: All. It is estimated that about 250,000 active GKE clusters are affected by the vulnerability.
According to the Orca Security report, the problem is a common misconception about the system:authenticated group in GKE. The system:authenticated group is a special group that includes all authenticated objects, including users and service accounts. Many people assume that the group includes only verified users, when in fact it includes any Google accounts. The problem can have serious consequences, as administrators may inadvertently grant this group too much authority.
Particularly dangerous are external attackers who can use their Google OAuth 2.0 token to gain control of the cluster and then use it for various purposes, including cryptomining, denial of Service (DoS) attacks, and theft of confidential data. In addition, this approach does not leave traces that could be traced back to a specific Gmail or Google Workspace account.
Various sensitive data is affected, including JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and access to container registries, which can lead to malicious code being embedded in container images.
Google has already taken steps to fix the flaw by prohibiting binding the system:authenticated group to the cluster-admin role in GKE versions 1.28 and higher. The company also recommends that users not associate the system:authenticated group with any RBAC (role-based access control) roles and check whether their clusters are not associated with the group.
In addition, Google has included detection rules in Event Threat Detection and preventive rules in Policy Controller. All GKE users who have bindings to these groups were sent email notifications asking them to review their configurations.
Orca researchers warn that despite improvements from Google, there are still many other roles and permissions that can be assigned to the system:authenticated group. Therefore, organizations should make sure that the group does not have excessive privileges to avoid possible threats.
The information security company Orca Security has discovered a vulnerability in the Google Kubernetes Engine (GKE), which allows attackers with a Google account to gain control over a Kubernetes cluster. The problem is codenamed Sys: All. It is estimated that about 250,000 active GKE clusters are affected by the vulnerability.
According to the Orca Security report, the problem is a common misconception about the system:authenticated group in GKE. The system:authenticated group is a special group that includes all authenticated objects, including users and service accounts. Many people assume that the group includes only verified users, when in fact it includes any Google accounts. The problem can have serious consequences, as administrators may inadvertently grant this group too much authority.
Particularly dangerous are external attackers who can use their Google OAuth 2.0 token to gain control of the cluster and then use it for various purposes, including cryptomining, denial of Service (DoS) attacks, and theft of confidential data. In addition, this approach does not leave traces that could be traced back to a specific Gmail or Google Workspace account.
Various sensitive data is affected, including JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and access to container registries, which can lead to malicious code being embedded in container images.
Google has already taken steps to fix the flaw by prohibiting binding the system:authenticated group to the cluster-admin role in GKE versions 1.28 and higher. The company also recommends that users not associate the system:authenticated group with any RBAC (role-based access control) roles and check whether their clusters are not associated with the group.
In addition, Google has included detection rules in Event Threat Detection and preventive rules in Policy Controller. All GKE users who have bindings to these groups were sent email notifications asking them to review their configurations.
Orca researchers warn that despite improvements from Google, there are still many other roles and permissions that can be assigned to the system:authenticated group. Therefore, organizations should make sure that the group does not have excessive privileges to avoid possible threats.
