Vulnerabilities in Google Kubernetes Engine Could Allow Cluster Takeover

 In a recent report, cybersecurity firm Palo Alto Networks has revealed potential security threats in Google Kubernetes Engine (GKE) that could allow an attacker to escalate privileges and potentially take control of the entire Kubernetes cluster. The vulnerabilities, identified in FluentBit (GKE's default logging agent) and Anthos Service Mesh (ASM, an optional service-to-service communication add-on), can be chained together in a two-stage attack.

FluentBit, employed as a lightweight log processor and forwarder, has been the default logging agent in GKE since March 2023. The security loophole in FluentBit and ASM could pose a significant risk if an attacker gains remote code execution in the FluentBit container or successfully breaks out of another container.

The misconfiguration in FluentBit opens a pathway for attackers to utilize the token of any pod in the node, allowing them to impersonate the pod, gain unauthorized access to the cluster, and list all currently running pods. Palo Alto Networks emphasizes the potential for unauthorized access and privilege escalation, providing attackers with an extensive attack surface based on the permissions of neighboring pods in the node.

Furthermore, the cybersecurity firm discovered that ASM's Container Network Interface (CNI) DaemonSet retains excessive permissions after installation, enabling attackers to create a new pod with these permissions and gain privileged access to the cluster.

Exploiting the FluentBit vulnerability, an attacker can map the cluster, locate the Istio container, and leverage ASM CNI DaemonSet's excessive permissions to create a potent pod. This pod can then target a service account with elevated privileges, ultimately obtaining permissions to act as a cluster administrator.

Google responded swiftly to the identified issues, releasing patches on December 14. Users are advised to manually update their clusters and node pools to ensure security. The patched versions for GKE (1.25.16-gke.1020000, 1.26.10-gke.1235000, 1.27.7-gke.1293000, and 1.28.4-gke.1083000) and ASM (1.17.8-asm.8, 1.18.6-asm.2, and 1.19.5-asm.4) address and resolve the vulnerabilities. Google reassures users that these vulnerabilities are not exploitable on their own in GKE and necessitate an initial compromise, with no known instances of exploitation reported.