Google Cloud addresses security flaws in Kubernetes clusters

Hotstar in UAE
Hotstar in UAE

Google Cloud has swiftly responded to a medium-severity security flaw in its platform that could pose a risk to Kubernetes clusters. The vulnerability, discovered and reported by Palo Alto Networks Unit 42, has the potential to be exploited by an attacker who already has access to a Kubernetes cluster, specifically targeting the Fluent Bit logging container.

This flaw, if abused, could allow the attacker to escalate their privileges within the cluster, leading to potential threats such as data theft, deploying malicious pods, and disrupting cluster operations. Google Cloud has solved the issue in the latest versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM), eliminating the risk associated with this vulnerability.

An attacker with access to a compromised Fluent Bit logging container could have escalated privileges in the cluster

Google Cloud disclosed the security flaw in an advisory released on December 14, 2023, providing details on the potential exploitation scenario. According to the advisory, an attacker who has compromised the Fluent Bit logging container can leverage this access along with the high privileges required by Anthos Service Mesh (on enabled clusters) to escalate their privileges within the Kubernetes cluster.

This could open the door to various bad activities, that not only include data theft but also disruptions to the normal operations of the cluster. There is currently no evidence of a bad actor abusing then flaw in the wild. However, besides providing more cloud storage to Workspace users, Google Cloud has taken proactive measures to rectify the issue in the affected versions of Google Kubernetes Engine and Anthos Service Mesh.

The versions 1.25.16-gke.1020000, 1.26.10-gke.1235000, 1.27.7-gke.1293000, 1.28.4-gke.1083000 for GKE, and 1.17.8-asm.8, 1.18.6-asm.2, 1.19.5-asm.4 for ASM address the security vulnerability.

Google Cloud has removed Fluent Bit’s access to service account tokens and has eliminated RBAC, addressing the security flaw

Google Cloud explained that the developers had configured Fluent Bit on GKE to collect logs for Cloud Run workloads. This arrangement granted Fluent Bit access to Kubernetes service account tokens for other pods on the node, as reported by TheHackerNews. It provided a potential entry point for attackers.

To address the security flaw, Google Cloud has removed Fluent Bit’s access to service account tokens and re-architected Anthos Service Mesh’s utility to eliminate excessive role-based access control (RBAC) permissions. The fix aims to enhance the overall security posture of Kubernetes clusters on Google Cloud by turning aside potential privilege escalation scenarios.

2024-01-02 15:05:46