□ This meant that a threat actor could use this access to gain privileged access to a Kubernetes cluster that has ASM enabled and then subsequently use ASM's service account token to escalate their privileges by creating a new pod with cluster-admin privileges. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node." "Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. □ "GKE uses Fluent Bit to process logs for workloads running on clusters," Google elaborated. □ A key prerequisite to successfully exploiting the vulnerability hinges on an attacker having already compromised a FluentBit container by some other initial access methods, such as via a remote code execution flaw. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM): □ There is no evidence that the issue has been exploited in the wild. □ Palo Alto Networks Unit 42 which discovered and reported the shortcoming, said adversaries could weaponize it to carry out "data theft, deploy malicious pods, and disrupt the cluster's operations." □ "An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster," the company said as part of an advisory released on December 14, 2023. □ Alert - Google Cloud addresses a medium-severity security flaw that could allow attackers to escalate privileges in Kubernetes clusters.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |