A critical privilege escalation vulnerability in Microsoft’s managed Azure Kubernetes Service (AKS) has been recently disclosed [1] [2], allowing attackers to access cluster secrets by exploiting a command execution privilege within a pod.
Description
A critical privilege escalation vulnerability in Microsoft’s managed Azure Kubernetes Service (AKS) was recently disclosed by Mandiant [1] [2], allowing attackers with command execution privileges within a pod to access cluster secrets [1]. This vulnerability affected AKS clusters using Azure CNI for network configuration and Azure for Network Policy settings [2] [4]. Attackers could exploit the issue by executing commands in a Pod within the affected cluster to extract TLS bootstrap tokens from Azure WireServer and gain access to sensitive information, including secrets such as KUBELETCLIENTCONTENT [3], KUBELETCLIENTCERTCONTENT [3], KUBELETCACRT [3], and TLSBOOTSTRAP_TOKEN [2] [3]. This could result in a TLS bootstrap attack and unauthorized access to all secrets used by running workloads in the cluster. The attack did not require the compromised Pod to be running with hostNetwork enabled or as the root user [2], significantly expanding the attack surface [2]. Security teams are advised to audit their AKS configurations [1], rotate Kubernetes secrets [1], enforce strict pod security policies [1], and implement robust logging and monitoring to detect suspicious activities [1]. Microsoft has since fixed the underlying issue [2], and Azure Kubernetes Service users should ensure their clusters are updated to a patched version to mitigate the impact of vulnerabilities like this [2].
Conclusion
The privilege escalation vulnerability in Microsoft’s managed Azure Kubernetes Service highlights the importance of regular security audits, secret rotation, and strict security policies [1]. It is crucial for AKS users to update their clusters to patched versions to prevent unauthorized access to sensitive information and mitigate the impact of similar vulnerabilities in the future.
References
[1] https://www.darkreading.com/application-security/azure-kubernetes-bug-lays-open-cluster-secrets
[2] https://cybersecuritynews.com/microsoft-azure-kubernetes-services-vulnerability/
[3] https://thehackernews.com/2024/08/researchers-uncover-tls-bootstrap.html
[4] https://cloud.google.com/blog/topics/threat-intelligence/escalating-privileges-azure-kubernetes-services
