GKE Case Highlights Risks of Attackers Chaining Vulnerabilities – Source: securityboulevard.com

Palo Alto Network’s cybersecurity recently outlined two vulnerabilities it found in Google Kubernetes Engine (GKE) that, individually, don’t represent much of a threat.

However, if a threat actor who already had access to a Kubernetes cluster were to combine the two, they could potentially escalate their privileges and eventually take over the cluster, which could lead to significant security ramifications, the Unit 42 researchers wrote in a report.

Google last month fixed the configuration issues in both FluentBit, a lightweight log processor that has been the default logging agent in all GKE clusters since March 2023, and Anthos Service Mesh (ASM), Google’s implementation of the open-source Istio Service Mesh project enables users to connect, secure, and control services.

The company said it is not aware of attempts to exploit the vulnerabilities in tandem.

However, the discovery of the vulnerabilities and the risk they pose when used together highlight a growing way for bad actors to run second-stage cloud attacks, in which the cybercriminal already has gained some access to the Kubernetes cluster. Once in the cluster, they’ll look for misconfigurations or other flaws to spread to spread into the cluster or escalate their privileges, Unit 42 security researcher Shaul Ben Hai wrote.

The Threat of Container Escape

“In these cat and mouse games between attackers and defenders, container escape will continue to be a threat,” Ben Hai wrote. “Attackers will always try to find a way to escape and gain control over cloud environments. Cloud infrastructures and environments should be secure enough that even if an attacker succeeds in entering, they will not be able to do damage (or at least no significant damage).”

He noted that “sometimes it will be possible to think that a certain misconfiguration is not necessarily a security matter or an issue that can affect your protected cloud environment. However, chaining several misconfigurations can lead to the creation of a strong exploit chain.”

The complexity of Kubernetes and its wide use for application deployment and management make the open-source container platform an attractive target for attackers, he wrote, adding that security breaches created by misconfigurations or excessive privileges can happen without the user being aware.

Exploiting Tandem Flaws Not Uncommon

Cybersecurity experts told Security Boulevard that it’s not uncommon to see sophisticated threat groups chaining vulnerabilities, with Joseph Carson, chief security scientist and advisory CISO at Delinea, saying that “these types of vulnerabilities make it difficult for organizations to evaluate the risks as they might look at each vulnerability individually. This is why organizations must assess the risks of the service as a whole and identify vulnerability chain exploits that they might be exposed to.”

Callie Guenther, senior manager of cyberthreat research at Critical Start, agreed that it’s not unusual to find vulnerabilities in complex systems like Kubernetes that can be exploited in tandem, but that “it’s less common for two distinct vulnerabilities in different components – like FluentBit and ASM in this case – to align in a way that allows for such a significant escalation of privileges.”

Bad Actors Need Both FluentBit and ASM

There needs to be specific configurations, which in this case means the presence of both FluentBit and ASM in the cluster. “This specificity makes the scenario less common but more dangerous for those environments that meet the criteria,” Guenther said.

Unit 42’s Ben Hai wrote that if the cluster has ASM installed and the attackers can execute in the FluentBit container by finding a remotely exploitable flaw in it, they can gain complete control of the cluster to “conduct data theft, deploy malicious pods and disrupt the cluster’s operations.”

The attackers can exploit a misconfiguration in FluentBit to use the token of a pod in the node and impersonate the pod. This can lead to unauthorized access to the cluster and from there map the entire cluster and find the Istio-Installer-container token. From there, they can leverage the ASM CNI Dae They can search for tokens

“The second step of this chain exploits the fact that the ASM’s Container Network Interface (CNI) DaemonSet retains excessive permissions post-installation,” he wrote. “This allows an attacker to create a new pod with ASM’s CNI DaemonSet permissions.”

From there they can create a pod with the permissions and get privileged access to the cluster.

Google wrote that it mitigated the threat by removing FluentBit’s access to the service account tokens and redesigned ASM’s functionality to remote excess privileges.

Critical Start’s Guenther said being able to escalate privileges and take over a Kubernetes cluster “could lead to significant operational disruptions, data theft, or deployment of malicious applications. The integration of multiple tools and services in cloud environments inherently increases the attack surface. Security teams must be vigilant about how these integrations can create new vulnerabilities or exacerbate existing ones.”

Detecting and mitigating chained vulnerabilities isn’t easy, given that security teams need to have a deep understanding of the specific configurations and the interactions between components in their Kubernetes environment, she said.