Palo Alto Networks, a cybersecurity firm, has reported that an attacker with access to a Kubernetes cluster could exploit two vulnerabilities in Google Kubernetes Engine (GKE) to gain privileged access and take control of the cluster. These vulnerabilities were identified in FluentBit, the default logging agent in GKE, and Anthos Service Mesh (ASM), an optional add-on for managing service-to-service communication.
FluentBit, a log processor and forwarder, has been the default logging agent in GKE since March 2023 and is deployed as a DaemonSet. ASM is Google’s implementation of the Istio Service Mesh open-source project for service management.
If an attacker has already achieved remote code execution in the FluentBit container or can break out of another container, they can exploit the vulnerabilities in FluentBit and ASM as part of a second-stage attack. This would grant the attacker complete control of the Kubernetes cluster, which can be utilized for data theft, deploying malicious pods, and disrupting the cluster’s operations.
A misconfiguration in FluentBit allows an attacker to impersonate any pod in the node by using its token. This can grant unauthorized access to the cluster and enable the attacker to list all running pods. Additionally, Palo Alto Networks found that the ASM’s Container Network Interface (CNI) DaemonSet retains excessive permissions, which can be exploited by an attacker to gain privileged access to the cluster.
Google has released patches for both vulnerabilities on December 14, urging users to manually update their clusters and node pools. The patched versions of GKE and ASM resolve the bugs. Google states that these vulnerabilities are not exploitable on their own in GKE and require an initial compromise.
It is important for users to update their systems to protect against potential exploitation of these vulnerabilities.
