Security researchers have identified a critical vulnerability in Google Kubernetes Engine (GKE) that could potentially allow threat actors with a Google account to gain control of a Kubernetes cluster. The flaw, named Sys:All by cloud security firm Orca, affects an estimated 250,000 active GKE clusters in use.
The vulnerability arises from a misconception about the system:authenticated group in GKE, believed to include only verified and deterministic identities. In reality, this group encompasses any Google authenticated account, even those outside the organization. This misconfiguration could have severe consequences if administrators unintentionally assign overly permissive roles to it.
An external threat actor possessing a Google account could exploit this flaw by using their own Google OAuth 2.0 bearer token, allowing them to take control of the cluster. The potential malicious activities include lateral movement, cryptomining, denial-of-service attacks, and theft of sensitive data.
Notably, this method does not leave a trace that can be linked back to the Gmail or Google Workspace account that obtained the OAuth bearer token.
The impact of Sys:All extends to various organizations, exposing sensitive data such as JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and container registry credentials. The latter could be used to compromise container images.
After responsible disclosure to Google, the company has taken measures to prevent the binding of the system:authenticated group to the cluster-admin role in GKE versions 1.28 and later. Google now advises against binding the system:authenticated group to any RBAC roles and recommends users assess whether unsafe bindings exist and remove them.
While there is no public record of large-scale attacks using this method, security experts warn that it could be a matter of time, urging users to secure their cluster access controls. Orca emphasizes that the recent improvements by Google still leave other roles and permissions that can be assigned to the system:authenticated group.
0 comments:
Post a Comment