A group of cybersecurity researchers have discovered a flaw that hits Google Kubernetes Engine (GKE) and which could potentially be exploited by various cyber criminals with a Google account to take control of a Kubernetes cluster.
If you didn't know what Google Kubernetes Engine is, just check the documentation on Google's official website, but making it very, very short, it is nothing but the “heart” from which all the Cloud services of the technological giant start, but which at the same time serves to facilitate certain types of online activities of the end user.
What is the Google Kubernetes Engine (GKE) vulnerability?
The serious vulnerability has been named Sys:All by cloud security company Orca e up to 250,000 active GKE clusters are estimated to be susceptible to this attack vector.
In a relationship written by cybersecurity firm Orca, security researcher Ofir Yakobi stated that “derives from a presumed widespread conception that the group system:authenticated in Google Kubernetes Engine include only verified and deterministic identities, while in reality it includes any authenticated Google account (even outside your organization)“.
The system:authenticated group is a special group which includes all authenticated entities, including human users and service accounts; consequentially, this could have serious consequences when administrators mistakenly configure it with overly permissive roles (one above all: the classic administrator role).
In particular, a cyber criminal, therefore an external user in possession of a Google account could exploit this misconfiguration by using its own bearer token Google OAuth 2.0 to take control of the clustersubsequently enabling exploitations such as lateral movement, cryptomining, denial-of-service attacks, and sensitive data theft to take place.
But to make the situation worse, This approach leaves no traces that can be linked back to the actual Gmail or Google Workspace account that obtained the bearer OAuth token.
Sys:All was found to be present within numerous organizationsleading to the exposure of various sensitive data, such as JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and container registry credentials, the latter of which could then be used to Trojanize container images.
Following a responsible report to Google, the company has taken measures to block the association of the system:authenticated group with the cluster-admin role in GKE (Google Kubernetes Engine) versions from 1.28 onwards.
“To help protect your clusters from mass malware attacks that exploit cluster-admin access misconfigurations, GKE clusters running version 1.28 and later will not allow the cluster-admin ClusterRole to be associated with the system:anonymous user or the system:unauthenticated or system:authenticated groups“, Yes law right now in Google's documentation.
Google also advises users not to associate the system:authenticated group with RBAC roles and to evaluate whether clusters were associated with the group using both ClusterRoleBindings and RoleBindings, removing unsafe associations.
Orca also warned that while there are no publicly known large-scale attacks using this method on Google Kubernetes Engine, it may just be a matter of time, making it necessary for users to take appropriate measures to secure access controls to their cluster.
“Even though this is an optimization, It's important to note that there remain many other roles and permissions that can be assigned to the group“, the company said.
#Google #Kubernetes #Engine #security #flaw
